CVE - CVE-2012-3546

CVE-ID
CVE-2012-3546	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:1027833 URL:http://www.securitytracker.com/id?1027833 MISC:20121204 CVE-2012-3546 Apache Tomcat Bypass of security constraints URL:http://archives.neohapsis.com/archives/bugtraq/2012-12/0044.html MISC:51984 URL:http://secunia.com/advisories/51984 MISC:52054 URL:http://secunia.com/advisories/52054 MISC:56812 URL:http://www.securityfocus.com/bid/56812 MISC:57126 URL:http://secunia.com/advisories/57126 MISC:HPSBMU02873 URL:https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878 MISC:HPSBST02955 URL:http://marc.info/?l=bugtraq&m=139344343412337&w=2 MISC:HPSBUX02866 URL:http://marc.info/?l=bugtraq&m=136612293908376&w=2 MISC:RHSA-2013:0004 URL:http://rhn.redhat.com/errata/RHSA-2013-0004.html MISC:RHSA-2013:0005 URL:http://rhn.redhat.com/errata/RHSA-2013-0005.html MISC:RHSA-2013:0146 URL:http://rhn.redhat.com/errata/RHSA-2013-0146.html MISC:RHSA-2013:0147 URL:http://rhn.redhat.com/errata/RHSA-2013-0147.html MISC:RHSA-2013:0151 URL:http://rhn.redhat.com/errata/RHSA-2013-0151.html MISC:RHSA-2013:0157 URL:http://rhn.redhat.com/errata/RHSA-2013-0157.html MISC:RHSA-2013:0158 URL:http://rhn.redhat.com/errata/RHSA-2013-0158.html MISC:RHSA-2013:0162 URL:http://rhn.redhat.com/errata/RHSA-2013-0162.html MISC:RHSA-2013:0163 URL:http://rhn.redhat.com/errata/RHSA-2013-0163.html MISC:RHSA-2013:0164 URL:http://rhn.redhat.com/errata/RHSA-2013-0164.html MISC:RHSA-2013:0191 URL:http://rhn.redhat.com/errata/RHSA-2013-0191.html MISC:RHSA-2013:0192 URL:http://rhn.redhat.com/errata/RHSA-2013-0192.html MISC:RHSA-2013:0193 URL:http://rhn.redhat.com/errata/RHSA-2013-0193.html MISC:RHSA-2013:0194 URL:http://rhn.redhat.com/errata/RHSA-2013-0194.html MISC:RHSA-2013:0195 URL:http://rhn.redhat.com/errata/RHSA-2013-0195.html MISC:RHSA-2013:0196 URL:http://rhn.redhat.com/errata/RHSA-2013-0196.html MISC:RHSA-2013:0197 URL:http://rhn.redhat.com/errata/RHSA-2013-0197.html MISC:RHSA-2013:0198 URL:http://rhn.redhat.com/errata/RHSA-2013-0198.html MISC:RHSA-2013:0221 URL:http://rhn.redhat.com/errata/RHSA-2013-0221.html MISC:RHSA-2013:0235 URL:http://rhn.redhat.com/errata/RHSA-2013-0235.html MISC:RHSA-2013:0623 URL:http://rhn.redhat.com/errata/RHSA-2013-0623.html MISC:RHSA-2013:0640 URL:http://rhn.redhat.com/errata/RHSA-2013-0640.html MISC:RHSA-2013:0641 URL:http://rhn.redhat.com/errata/RHSA-2013-0641.html MISC:RHSA-2013:0642 URL:http://rhn.redhat.com/errata/RHSA-2013-0642.html MISC:SSRT101139 URL:http://marc.info/?l=bugtraq&m=136612293908376&w=2 MISC:SSRT101182 URL:https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878 MISC:USN-1685-1 URL:http://www.ubuntu.com/usn/USN-1685-1 MISC:http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1377892&r2=1377891&pathrev=1377892 URL:http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1377892&r2=1377891&pathrev=1377892 MISC:http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1377892&r2=1377891&pathrev=1377892 URL:http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1377892&r2=1377891&pathrev=1377892 MISC:http://svn.apache.org/viewvc?view=revision&revision=1377892 URL:http://svn.apache.org/viewvc?view=revision&revision=1377892 MISC:http://tomcat.apache.org/security-6.html URL:http://tomcat.apache.org/security-6.html MISC:http://tomcat.apache.org/security-7.html URL:http://tomcat.apache.org/security-7.html MISC:openSUSE-SU-2012:1700 URL:http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html MISC:openSUSE-SU-2012:1701 URL:http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html MISC:openSUSE-SU-2013:0147 URL:http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html MISC:oval:org.mitre.oval:def:19305 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19305
Assigning CNA
Red Hat, Inc.
Date Record Created
20120614	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20120614)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)