CVE-2009-0580
Exposure of Sensitive Information in Apache Tomcat
EPSS 89.6%
Description
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
How to fix CVE-2009-0580
To remediate CVE-2009-0580, upgrade the affected package to a fixed version below.
- Maven/org.apache.tomcat:tomcat—upgrade to 4.1.40 or later
Is CVE-2009-0580 being exploited?
Likely — EPSS is 89.6%, placing CVE-2009-0580 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.
Affected packages (1)
- >= 4.1.0, < 4.1.40