4.3

CVE-2009-0580

EPSS 84.44%
Published 05.06.2009 16:00:00
Last modified 09.04.2025 00:30:58
Source secalert@redhat.com
Teams watchlist Login
Open Login

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

Affected products Warnungen 0 Metrics 2 CWE 1 References 52

Data is provided by the National Vulnerability Database (NVD)

Apache ≫ Tomcat Version4.1.0

Apache ≫ Tomcat Version4.1.1

Apache ≫ Tomcat Version4.1.2

Apache ≫ Tomcat Version4.1.3

Apache ≫ Tomcat Version4.1.3 Updatebeta

Apache ≫ Tomcat Version4.1.4

Apache ≫ Tomcat Version4.1.5

Apache ≫ Tomcat Version4.1.6

Apache ≫ Tomcat Version4.1.7

Apache ≫ Tomcat Version4.1.8

Apache ≫ Tomcat Version4.1.9

Apache ≫ Tomcat Version4.1.9 Updatebeta

Apache ≫ Tomcat Version4.1.10

Apache ≫ Tomcat Version4.1.11

Apache ≫ Tomcat Version4.1.12

Apache ≫ Tomcat Version4.1.13

Apache ≫ Tomcat Version4.1.14

Apache ≫ Tomcat Version4.1.15

Apache ≫ Tomcat Version4.1.16

Apache ≫ Tomcat Version4.1.17

Apache ≫ Tomcat Version4.1.18

Apache ≫ Tomcat Version4.1.19

Apache ≫ Tomcat Version4.1.20

Apache ≫ Tomcat Version4.1.21

Apache ≫ Tomcat Version4.1.22

Apache ≫ Tomcat Version4.1.23

Apache ≫ Tomcat Version4.1.24

Apache ≫ Tomcat Version4.1.25

Apache ≫ Tomcat Version4.1.26

Apache ≫ Tomcat Version4.1.27

Apache ≫ Tomcat Version4.1.28

Apache ≫ Tomcat Version4.1.29

Apache ≫ Tomcat Version4.1.30

Apache ≫ Tomcat Version4.1.31

Apache ≫ Tomcat Version4.1.32

Apache ≫ Tomcat Version4.1.33

Apache ≫ Tomcat Version4.1.34

Apache ≫ Tomcat Version4.1.35

Apache ≫ Tomcat Version4.1.36

Apache ≫ Tomcat Version4.1.37

Apache ≫ Tomcat Version4.1.38

Apache ≫ Tomcat Version4.1.39

Apache ≫ Tomcat Version5.5.0

Apache ≫ Tomcat Version5.5.1

Apache ≫ Tomcat Version5.5.2

Apache ≫ Tomcat Version5.5.3

Apache ≫ Tomcat Version5.5.4

Apache ≫ Tomcat Version5.5.5

Apache ≫ Tomcat Version5.5.6

Apache ≫ Tomcat Version5.5.7

Apache ≫ Tomcat Version5.5.8

Apache ≫ Tomcat Version5.5.9

Apache ≫ Tomcat Version5.5.10

Apache ≫ Tomcat Version5.5.11

Apache ≫ Tomcat Version5.5.12

Apache ≫ Tomcat Version5.5.13

Apache ≫ Tomcat Version5.5.14

Apache ≫ Tomcat Version5.5.15

Apache ≫ Tomcat Version5.5.16

Apache ≫ Tomcat Version5.5.17

Apache ≫ Tomcat Version5.5.18

Apache ≫ Tomcat Version5.5.19

Apache ≫ Tomcat Version5.5.20

Apache ≫ Tomcat Version5.5.21

Apache ≫ Tomcat Version5.5.22

Apache ≫ Tomcat Version5.5.23

Apache ≫ Tomcat Version5.5.24

Apache ≫ Tomcat Version5.5.25

Apache ≫ Tomcat Version5.5.26

Apache ≫ Tomcat Version5.5.27

Apache ≫ Tomcat Version6.0.0

Apache ≫ Tomcat Version6.0.1

Apache ≫ Tomcat Version6.0.2

Apache ≫ Tomcat Version6.0.3

Apache ≫ Tomcat Version6.0.4

Apache ≫ Tomcat Version6.0.5

Apache ≫ Tomcat Version6.0.6

Apache ≫ Tomcat Version6.0.7

Apache ≫ Tomcat Version6.0.8

Apache ≫ Tomcat Version6.0.9

Apache ≫ Tomcat Version6.0.10

Apache ≫ Tomcat Version6.0.11

Apache ≫ Tomcat Version6.0.12

Apache ≫ Tomcat Version6.0.13

Apache ≫ Tomcat Version6.0.14

Apache ≫ Tomcat Version6.0.15

Apache ≫ Tomcat Version6.0.16

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	84.44%	0.993

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:P/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

http://tomcat.apache.org/security-4.html

Patch

Vendor Advisory

http://tomcat.apache.org/security-5.html

Patch

Vendor Advisory

http://tomcat.apache.org/security-6.html

Patch

Vendor Advisory

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://support.apple.com/kb/HT4077

http://www.securityfocus.com/archive/1/507985/100/0/threaded

http://www.vmware.com/security/advisories/VMSA-2009-0016.html

http://www.vupen.com/english/advisories/2009/3316

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

http://secunia.com/advisories/37460

http://www.mandriva.com/security/advisories?name=MDVSA-2009:136

http://www.mandriva.com/security/advisories?name=MDVSA-2010:176

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

http://secunia.com/advisories/35685

http://marc.info/?l=bugtraq&m=127420533226623&w=2

http://marc.info/?l=bugtraq&m=129070310906557&w=2

http://marc.info/?l=bugtraq&m=133469267822771&w=2

http://marc.info/?l=bugtraq&m=136485229118404&w=2

http://secunia.com/advisories/35788

http://secunia.com/advisories/42368

http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

http://www.debian.org/security/2011/dsa-2207

http://www.mandriva.com/security/advisories?name=MDVSA-2009:138

http://www.vupen.com/english/advisories/2009/1856

http://www.vupen.com/english/advisories/2010/3056

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

http://secunia.com/advisories/35326

Vendor Advisory

http://secunia.com/advisories/35344

Vendor Advisory

http://www.vupen.com/english/advisories/2009/1496

Patch

Vendor Advisory

http://securitytracker.com/id?1022332

http://svn.apache.org/viewvc?rev=747840&view=rev

Patch

Vendor Advisory

http://svn.apache.org/viewvc?rev=781379&view=rev

Patch

Vendor Advisory

http://svn.apache.org/viewvc?rev=781382&view=rev

Patch

Vendor Advisory

http://www.securityfocus.com/archive/1/504045/100/0/threaded

http://www.securityfocus.com/archive/1/504108/100/0/threaded

http://www.securityfocus.com/archive/1/504125/100/0/threaded

http://www.securityfocus.com/bid/35196

https://exchange.xforce.ibmcloud.com/vulnerabilities/50930

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101

https://nvd.nist.gov/vuln/detail/CVE-2009-0580

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2009-0580

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2009-0580

EUVD