CVE-2011-5064

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	5.5.0 (including)	5.5.0 (including)
Tomcat	Apache	5.5.1 (including)	5.5.1 (including)
Tomcat	Apache	5.5.2 (including)	5.5.2 (including)
Tomcat	Apache	5.5.3 (including)	5.5.3 (including)
Tomcat	Apache	5.5.4 (including)	5.5.4 (including)
Tomcat	Apache	5.5.5 (including)	5.5.5 (including)
Tomcat	Apache	5.5.6 (including)	5.5.6 (including)
Tomcat	Apache	5.5.7 (including)	5.5.7 (including)
Tomcat	Apache	5.5.8 (including)	5.5.8 (including)
Tomcat	Apache	5.5.9 (including)	5.5.9 (including)
Tomcat	Apache	5.5.10 (including)	5.5.10 (including)
Tomcat	Apache	5.5.11 (including)	5.5.11 (including)
Tomcat	Apache	5.5.12 (including)	5.5.12 (including)
Tomcat	Apache	5.5.13 (including)	5.5.13 (including)
Tomcat	Apache	5.5.14 (including)	5.5.14 (including)
Tomcat	Apache	5.5.15 (including)	5.5.15 (including)
Tomcat	Apache	5.5.16 (including)	5.5.16 (including)
Tomcat	Apache	5.5.17 (including)	5.5.17 (including)
Tomcat	Apache	5.5.18 (including)	5.5.18 (including)
Tomcat	Apache	5.5.19 (including)	5.5.19 (including)
Tomcat	Apache	5.5.20 (including)	5.5.20 (including)
Tomcat	Apache	5.5.21 (including)	5.5.21 (including)
Tomcat	Apache	5.5.22 (including)	5.5.22 (including)
Tomcat	Apache	5.5.23 (including)	5.5.23 (including)
Tomcat	Apache	5.5.24 (including)	5.5.24 (including)
Tomcat	Apache	5.5.25 (including)	5.5.25 (including)
Tomcat	Apache	5.5.26 (including)	5.5.26 (including)
Tomcat	Apache	5.5.27 (including)	5.5.27 (including)
Tomcat	Apache	5.5.28 (including)	5.5.28 (including)
Tomcat	Apache	5.5.29 (including)	5.5.29 (including)
Tomcat	Apache	5.5.30 (including)	5.5.30 (including)
Tomcat	Apache	5.5.31 (including)	5.5.31 (including)
Tomcat	Apache	5.5.32 (including)	5.5.32 (including)
Tomcat	Apache	5.5.33 (including)	5.5.33 (including)
JBEWP 5 for RHEL 5	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el5	*
JBEWP 5 for RHEL 6	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el6	*
JBoss Communications Platform 5.1	RedHat		*
JBoss Enterprise BRMS Platform 5.1	RedHat		*
Red Hat Enterprise Linux 5	RedHat	tomcat5-0:5.5.23-0jpp.22.el5_7	*
Red Hat Enterprise Linux 6	RedHat	tomcat6-0:6.0.24-35.el6_1	*
Red Hat JBoss Enterprise Application Platform 4.3	RedHat		*
Red Hat JBoss Enterprise Application Platform 5.1	RedHat		*
Red Hat JBoss Enterprise Application Platform 5 for RHEL 4	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el4	*
Red Hat JBoss Enterprise Application Platform 5 for RHEL 5	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el5	*
Red Hat JBoss Enterprise Application Platform 5 for RHEL 6	RedHat	jbossweb-0:2.1.12-3_patch_03.2.ep5.el6	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5	RedHat	tomcat5-0:5.5.33-27_patch_07.ep5.el5	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 5	RedHat	tomcat6-0:6.0.32-24_patch_07.ep5.el5	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6	RedHat	tomcat5-0:5.5.33-28_patch_07.ep5.el6	*
Red Hat JBoss Enterprise Web Server 1 for RHEL 6	RedHat	tomcat6-0:6.0.32-24_patch_07.ep5.el6	*
Red Hat JBoss Portal 4.3	RedHat		*
Red Hat JBoss Portal 5.2	RedHat		*
Red Hat JBoss SOA Platform 5.2	RedHat		*
Red Hat JBoss Web Platform 5.1	RedHat		*
Red Hat JBoss Web Server 1.0	RedHat		*
Red Hat JBoss Web Server 1.0	RedHat		*
Tomcat5.5	Ubuntu	hardy	*
Tomcat6	Ubuntu	devel	*
Tomcat6	Ubuntu	lucid	*
Tomcat6	Ubuntu	maverick	*
Tomcat6	Ubuntu	natty	*
Tomcat6	Ubuntu	oneiric	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-5064
CWE	https://cwe.mitre.org/data/definitions/310.html

Affected Software

References