CVE-2011-5064
Use of Hard-coded Cryptographic Key in Apache Tomcat
EPSS 5.3%
Description
DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.
How to fix CVE-2011-5064
To remediate CVE-2011-5064, upgrade the affected package to a fixed version below.
- Maven/org.apache.tomcat:tomcat—upgrade to 5.5.34 or later
Is CVE-2011-5064 being exploited?
Moderate — EPSS is 5.3%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (1)
- >= 5.5.0, < 5.5.34