CVE-2009-0580
Publication date 5 June 2009
Last updated 24 July 2024
Ubuntu priority
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
Status
Package | Ubuntu Release | Status |
---|---|---|
tomcat5 | 11.10 oneiric | Not in release |
11.04 natty | Not in release | |
10.10 maverick | Not in release | |
10.04 LTS lucid | Not in release | |
9.10 karmic | Not in release | |
9.04 jaunty | Not in release | |
8.10 intrepid | Not in release | |
8.04 LTS hardy | Not in release | |
6.06 LTS dapper | Ignored end of life | |
tomcat5.5 | 11.10 oneiric | Not in release |
11.04 natty | Not in release | |
10.10 maverick | Not in release | |
10.04 LTS lucid | Not in release | |
9.10 karmic | Not in release | |
9.04 jaunty | Ignored end of life | |
8.10 intrepid | Ignored end of life, was needed | |
8.04 LTS hardy | Ignored end of life | |
6.06 LTS dapper | Not in release | |
tomcat6 | 11.10 oneiric |
Not affected
|
11.04 natty |
Not affected
|
|
10.10 maverick |
Not affected
|
|
10.04 LTS lucid |
Not affected
|
|
9.10 karmic |
Not affected
|
|
9.04 jaunty |
Fixed 6.0.18-0ubuntu6.1
|
|
8.10 intrepid |
Fixed 6.0.18-0ubuntu3.2
|
|
8.04 LTS hardy | Not in release | |
6.06 LTS dapper | Not in release |
Notes
Patch details
Package | Patch details |
---|---|
tomcat5.5 | |
tomcat6 |
References
Related Ubuntu Security Notices (USN)
- USN-788-1
- Tomcat vulnerabilities
- 15 June 2009