CVE-2009-0580
Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration
Severity Score
7.5
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
Apache Tomcat v4.1.0 hasta v4.1.39, v5.5.0 hasta v5.5.27, y v6.0.0 hasta v6.0.18, cuando se utiliza autenticación FORM, permite a atacantes remotos enumerar nombres de usuarios válidos a través de una solicitud a /j_security_check con codificación malformada de URL de contraseñas. Está relacionado con una comprobación de errores incorrecta en los entornos de autenticación (1) MemoryRealm, (2) DataSourceRealm y (3) JDBCRealm; como se ha demostrado con un valor % (porcentaje) en el parámetro j_password.
Iida Minehiko discovered that Tomcat did not properly normalise paths. A remote attacker could send specially crafted requests to the server and bypass security restrictions, gaining access to sensitive content. Yoshihito Fukuyama discovered that Tomcat did not properly handle errors when the Java AJP connector and mod_jk load balancing are used. A remote attacker could send specially crafted requests containing invalid headers to the server and cause a temporary denial of service. D. Matscheko and T. Hackner discovered that Tomcat did not properly handle malformed URL encoding of passwords when FORM authentication is used. A remote attacker could exploit this in order to enumerate valid usernames. Deniz Cevik discovered that Tomcat did not properly escape certain parameters in the example calendar application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. Philippe Prados discovered that Tomcat allowed web applications to replace the XML parser used by other web applications. Local users could exploit this to bypass security restrictions and gain access to certain sensitive files.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2009-02-13 CVE Reserved
- 2009-06-04 CVE Published
- 2014-04-25 First Exploit
- 2024-08-07 CVE Updated
- 2025-07-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (53)
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/181053 | 2024-09-01 | |
| https://www.exploit-db.com/exploits/33023 | 2014-04-25 |
| URL | Date | SRC |
|---|---|---|
| http://svn.apache.org/viewvc?rev=747840&view=rev | 2023-02-13 | |
| http://svn.apache.org/viewvc?rev=781379&view=rev | 2023-02-13 | |
| http://svn.apache.org/viewvc?rev=781382&view=rev | 2023-02-13 | |
| http://tomcat.apache.org/security-4.html | 2023-02-13 | |
| http://tomcat.apache.org/security-5.html | 2023-02-13 | |
| http://tomcat.apache.org/security-6.html | 2023-02-13 | |
| http://www.vupen.com/english/advisories/2009/1496 | 2023-02-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.0 Search vendor "Apache" for product "Tomcat" and version "4.1.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.1 Search vendor "Apache" for product "Tomcat" and version "4.1.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.2 Search vendor "Apache" for product "Tomcat" and version "4.1.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.3 Search vendor "Apache" for product "Tomcat" and version "4.1.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.3 Search vendor "Apache" for product "Tomcat" and version "4.1.3" | beta |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.4 Search vendor "Apache" for product "Tomcat" and version "4.1.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.5 Search vendor "Apache" for product "Tomcat" and version "4.1.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.6 Search vendor "Apache" for product "Tomcat" and version "4.1.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.7 Search vendor "Apache" for product "Tomcat" and version "4.1.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.8 Search vendor "Apache" for product "Tomcat" and version "4.1.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.9 Search vendor "Apache" for product "Tomcat" and version "4.1.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.9 Search vendor "Apache" for product "Tomcat" and version "4.1.9" | beta |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.10 Search vendor "Apache" for product "Tomcat" and version "4.1.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.11 Search vendor "Apache" for product "Tomcat" and version "4.1.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.12 Search vendor "Apache" for product "Tomcat" and version "4.1.12" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.13 Search vendor "Apache" for product "Tomcat" and version "4.1.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.14 Search vendor "Apache" for product "Tomcat" and version "4.1.14" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.15 Search vendor "Apache" for product "Tomcat" and version "4.1.15" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.16 Search vendor "Apache" for product "Tomcat" and version "4.1.16" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.17 Search vendor "Apache" for product "Tomcat" and version "4.1.17" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.18 Search vendor "Apache" for product "Tomcat" and version "4.1.18" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.19 Search vendor "Apache" for product "Tomcat" and version "4.1.19" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.20 Search vendor "Apache" for product "Tomcat" and version "4.1.20" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.21 Search vendor "Apache" for product "Tomcat" and version "4.1.21" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.22 Search vendor "Apache" for product "Tomcat" and version "4.1.22" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.23 Search vendor "Apache" for product "Tomcat" and version "4.1.23" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.24 Search vendor "Apache" for product "Tomcat" and version "4.1.24" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.25 Search vendor "Apache" for product "Tomcat" and version "4.1.25" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.26 Search vendor "Apache" for product "Tomcat" and version "4.1.26" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.27 Search vendor "Apache" for product "Tomcat" and version "4.1.27" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.28 Search vendor "Apache" for product "Tomcat" and version "4.1.28" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.29 Search vendor "Apache" for product "Tomcat" and version "4.1.29" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.30 Search vendor "Apache" for product "Tomcat" and version "4.1.30" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.31 Search vendor "Apache" for product "Tomcat" and version "4.1.31" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.32 Search vendor "Apache" for product "Tomcat" and version "4.1.32" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.33 Search vendor "Apache" for product "Tomcat" and version "4.1.33" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.34 Search vendor "Apache" for product "Tomcat" and version "4.1.34" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.35 Search vendor "Apache" for product "Tomcat" and version "4.1.35" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.36 Search vendor "Apache" for product "Tomcat" and version "4.1.36" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.37 Search vendor "Apache" for product "Tomcat" and version "4.1.37" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.38 Search vendor "Apache" for product "Tomcat" and version "4.1.38" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 4.1.39 Search vendor "Apache" for product "Tomcat" and version "4.1.39" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.0 Search vendor "Apache" for product "Tomcat" and version "5.5.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.1 Search vendor "Apache" for product "Tomcat" and version "5.5.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.2 Search vendor "Apache" for product "Tomcat" and version "5.5.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.3 Search vendor "Apache" for product "Tomcat" and version "5.5.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.4 Search vendor "Apache" for product "Tomcat" and version "5.5.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.5 Search vendor "Apache" for product "Tomcat" and version "5.5.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.6 Search vendor "Apache" for product "Tomcat" and version "5.5.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.7 Search vendor "Apache" for product "Tomcat" and version "5.5.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.8 Search vendor "Apache" for product "Tomcat" and version "5.5.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.9 Search vendor "Apache" for product "Tomcat" and version "5.5.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.10 Search vendor "Apache" for product "Tomcat" and version "5.5.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.11 Search vendor "Apache" for product "Tomcat" and version "5.5.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.12 Search vendor "Apache" for product "Tomcat" and version "5.5.12" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.13 Search vendor "Apache" for product "Tomcat" and version "5.5.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.14 Search vendor "Apache" for product "Tomcat" and version "5.5.14" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.15 Search vendor "Apache" for product "Tomcat" and version "5.5.15" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.16 Search vendor "Apache" for product "Tomcat" and version "5.5.16" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.17 Search vendor "Apache" for product "Tomcat" and version "5.5.17" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.18 Search vendor "Apache" for product "Tomcat" and version "5.5.18" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.19 Search vendor "Apache" for product "Tomcat" and version "5.5.19" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.20 Search vendor "Apache" for product "Tomcat" and version "5.5.20" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.21 Search vendor "Apache" for product "Tomcat" and version "5.5.21" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.22 Search vendor "Apache" for product "Tomcat" and version "5.5.22" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.23 Search vendor "Apache" for product "Tomcat" and version "5.5.23" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.24 Search vendor "Apache" for product "Tomcat" and version "5.5.24" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.25 Search vendor "Apache" for product "Tomcat" and version "5.5.25" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.26 Search vendor "Apache" for product "Tomcat" and version "5.5.26" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 5.5.27 Search vendor "Apache" for product "Tomcat" and version "5.5.27" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.0 Search vendor "Apache" for product "Tomcat" and version "6.0.0" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.1 Search vendor "Apache" for product "Tomcat" and version "6.0.1" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.2 Search vendor "Apache" for product "Tomcat" and version "6.0.2" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.3 Search vendor "Apache" for product "Tomcat" and version "6.0.3" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.4 Search vendor "Apache" for product "Tomcat" and version "6.0.4" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.5 Search vendor "Apache" for product "Tomcat" and version "6.0.5" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.6 Search vendor "Apache" for product "Tomcat" and version "6.0.6" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.7 Search vendor "Apache" for product "Tomcat" and version "6.0.7" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.8 Search vendor "Apache" for product "Tomcat" and version "6.0.8" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.9 Search vendor "Apache" for product "Tomcat" and version "6.0.9" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.10 Search vendor "Apache" for product "Tomcat" and version "6.0.10" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.11 Search vendor "Apache" for product "Tomcat" and version "6.0.11" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.12 Search vendor "Apache" for product "Tomcat" and version "6.0.12" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.13 Search vendor "Apache" for product "Tomcat" and version "6.0.13" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.14 Search vendor "Apache" for product "Tomcat" and version "6.0.14" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.15 Search vendor "Apache" for product "Tomcat" and version "6.0.15" | - |
Affected
| ||||||
| Apache Search vendor "Apache" | Tomcat Search vendor "Apache" for product "Tomcat" | 6.0.16 Search vendor "Apache" for product "Tomcat" and version "6.0.16" | - |
Affected
| ||||||