Miggo Logo

CVE-2010-1157: Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

2.6

CVSS Score

Basic Information

EPSS Score
0.93552%
Published
5/2/2022
Updated
2/13/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:H/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven>= 5.5.0, <= 5.5.295.5.30
org.apache.tomcat:tomcatmaven>= 6.0.0, <= 6.0.266.0.28

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs in authentication handlers that construct WWW-Authenticate headers. The security advisories explicitly mention the realm field was generated using request.getServerName()+port when no <realm-name> was configured. The patches modified Basic/Digest authenticators and RealmBase to remove server-specific defaults. These functions would appear in stack traces during authentication challenges for protected resources.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*p**** Tom**t *.*.* t*rou** *.*.** *n* *.*.* t*rou** *.*.** mi**t *llow r*mot* *tt**k*rs to *is*ov*r t** s*rv*r's *ostn*m* or IP ***r*ss *y s*n*in* * r*qu*st *or * r*sour** t**t r*quir*s (*) **SI* or (*) *I**ST *ut**nti**tion, *n* t**n r***in* t** r*

Reasoning

T** vuln*r**ility o**urs in *ut**nti**tion **n*l*rs t**t *onstru*t WWW-*ut**nti**t* *****rs. T** s**urity **visori*s *xpli*itly m*ntion t** r**lm *i*l* w*s **n*r*t** usin* `r*qu*st.**tS*rv*rN*m*()`+port w**n no <r**lm-n*m*> w*s *on*i*ur**. T** p*t***