CVE-2010-1157: Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
2.6
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.93552%
CWE
Published
5/2/2022
Updated
2/13/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
AV:N/AC:H/Au:N/C:P/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.apache.tomcat:tomcat | maven | >= 5.5.0, <= 5.5.29 | 5.5.30 |
org.apache.tomcat:tomcat | maven | >= 6.0.0, <= 6.0.26 | 6.0.28 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs in authentication handlers that construct WWW-Authenticate headers. The security advisories explicitly mention the realm field was generated using request.getServerName()
+port when no <realm-name> was configured. The patches modified Basic
/Digest
authenticators and RealmBase
to remove server-specific defaults. These functions would appear in stack traces during authentication challenges for protected resources.