CVE-2011-1184
tomcat6 - several
EPSS 2.2%
Description
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.
How to fix CVE-2011-1184
To remediate CVE-2011-1184, upgrade the affected package to a fixed version below.
- Debian/tomcat6—upgrade to 6.0.35-1+squeeze2 or later
- —upgrade to 5.5.34 or later
Is CVE-2011-1184 being exploited?
Low — EPSS is 2.2%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 6.0.35-1+squeeze2
- >= 5.5.0, < 5.5.34