Exposure of Sensitive Information in Apache Tomcat
Moderate severity
GitHub Reviewed
Published
May 2, 2022
to the GitHub Advisory Database
•
Updated Feb 13, 2023
Package
Affected versions
>= 4.1.0, < 4.1.40
>= 5.0.0, < 5.5.28
>= 6.0.0, < 6.0.19
Patched versions
4.1.40
5.5.28
6.0.19
Description
Published by the National Vulnerability Database
Jun 5, 2009
Published to the GitHub Advisory Database
May 2, 2022
Reviewed
Jun 17, 2022
Last updated
Feb 13, 2023
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
References