CVE-2009-0580

Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration

Severity Score

4.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

Apache Tomcat v4.1.0 hasta v4.1.39, v5.5.0 hasta v5.5.27, y v6.0.0 hasta v6.0.18, cuando se utiliza autenticación FORM, permite a atacantes remotos enumerar nombres de usuarios válidos a través de una solicitud a /j_security_check con codificación malformada de URL de contraseñas. Está relacionado con una comprobación de errores incorrecta en los entornos de autenticación (1) MemoryRealm, (2) DataSourceRealm y (3) JDBCRealm; como se ha demostrado con un valor % (porcentaje) en el parámetro j_password.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2009-02-13 CVE Reserved
2009-06-03 First Exploit
2009-06-04 CVE Published
2024-07-25 EPSS Updated
2024-08-07 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

CAPEC

References (52)

URL	Tag	Source
http://secunia.com/advisories/35685	Third Party Advisory
http://secunia.com/advisories/35788	Third Party Advisory
http://secunia.com/advisories/37460	Third Party Advisory
http://secunia.com/advisories/42368	Third Party Advisory
http://securitytracker.com/id?1022332	Vdb Entry
http://support.apple.com/kb/HT4077	X_refsource_confirm
http://www.securityfocus.com/archive/1/504045/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/504108/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/504125/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/507985/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/35196	Vdb Entry
http://www.vmware.com/security/advisories/VMSA-2009-0016.html	X_refsource_confirm
http://www.vupen.com/english/advisories/2009/1856	Vdb Entry
http://www.vupen.com/english/advisories/2009/3316	Vdb Entry
http://www.vupen.com/english/advisories/2010/3056	Vdb Entry
https://exchange.xforce.ibmcloud.com/vulnerabilities/50930	Vdb Entry
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101	Signature

URL	Date	SRC
https://www.exploit-db.com/exploits/33023	2009-06-03

URL	Date	SRC
http://svn.apache.org/viewvc?rev=747840&view=rev	2023-02-13
http://svn.apache.org/viewvc?rev=781379&view=rev	2023-02-13
http://svn.apache.org/viewvc?rev=781382&view=rev	2023-02-13
http://tomcat.apache.org/security-4.html	2023-02-13
http://tomcat.apache.org/security-5.html	2023-02-13
http://tomcat.apache.org/security-6.html	2023-02-13
http://www.vupen.com/english/advisories/2009/1496	2023-02-13

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html	2023-02-13
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html	2023-02-13
http://marc.info/?l=bugtraq&m=127420533226623&w=2	2023-02-13
http://marc.info/?l=bugtraq&m=129070310906557&w=2	2023-02-13
http://marc.info/?l=bugtraq&m=133469267822771&w=2	2023-02-13
http://marc.info/?l=bugtraq&m=136485229118404&w=2	2023-02-13
http://secunia.com/advisories/35326	2023-02-13
http://secunia.com/advisories/35344	2023-02-13
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1	2023-02-13
http://www.debian.org/security/2011/dsa-2207	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138	2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html	2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html	2023-02-13
https://access.redhat.com/security/cve/CVE-2009-0580	2010-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=503978	2010-08-04

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.0 Search vendor "Apache" for product "Tomcat" and version "4.1.0"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.1 Search vendor "Apache" for product "Tomcat" and version "4.1.1"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.2 Search vendor "Apache" for product "Tomcat" and version "4.1.2"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.3 Search vendor "Apache" for product "Tomcat" and version "4.1.3"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.3 Search vendor "Apache" for product "Tomcat" and version "4.1.3"		beta		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.4 Search vendor "Apache" for product "Tomcat" and version "4.1.4"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.5 Search vendor "Apache" for product "Tomcat" and version "4.1.5"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.6 Search vendor "Apache" for product "Tomcat" and version "4.1.6"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.7 Search vendor "Apache" for product "Tomcat" and version "4.1.7"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.8 Search vendor "Apache" for product "Tomcat" and version "4.1.8"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.9 Search vendor "Apache" for product "Tomcat" and version "4.1.9"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.9 Search vendor "Apache" for product "Tomcat" and version "4.1.9"		beta		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.10 Search vendor "Apache" for product "Tomcat" and version "4.1.10"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.11 Search vendor "Apache" for product "Tomcat" and version "4.1.11"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.12 Search vendor "Apache" for product "Tomcat" and version "4.1.12"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.13 Search vendor "Apache" for product "Tomcat" and version "4.1.13"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.14 Search vendor "Apache" for product "Tomcat" and version "4.1.14"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.15 Search vendor "Apache" for product "Tomcat" and version "4.1.15"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.16 Search vendor "Apache" for product "Tomcat" and version "4.1.16"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.17 Search vendor "Apache" for product "Tomcat" and version "4.1.17"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.18 Search vendor "Apache" for product "Tomcat" and version "4.1.18"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.19 Search vendor "Apache" for product "Tomcat" and version "4.1.19"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.20 Search vendor "Apache" for product "Tomcat" and version "4.1.20"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.21 Search vendor "Apache" for product "Tomcat" and version "4.1.21"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.22 Search vendor "Apache" for product "Tomcat" and version "4.1.22"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.23 Search vendor "Apache" for product "Tomcat" and version "4.1.23"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.24 Search vendor "Apache" for product "Tomcat" and version "4.1.24"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.25 Search vendor "Apache" for product "Tomcat" and version "4.1.25"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.26 Search vendor "Apache" for product "Tomcat" and version "4.1.26"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.27 Search vendor "Apache" for product "Tomcat" and version "4.1.27"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.28 Search vendor "Apache" for product "Tomcat" and version "4.1.28"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.29 Search vendor "Apache" for product "Tomcat" and version "4.1.29"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.30 Search vendor "Apache" for product "Tomcat" and version "4.1.30"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.31 Search vendor "Apache" for product "Tomcat" and version "4.1.31"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.32 Search vendor "Apache" for product "Tomcat" and version "4.1.32"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.33 Search vendor "Apache" for product "Tomcat" and version "4.1.33"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.34 Search vendor "Apache" for product "Tomcat" and version "4.1.34"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.35 Search vendor "Apache" for product "Tomcat" and version "4.1.35"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.36 Search vendor "Apache" for product "Tomcat" and version "4.1.36"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.37 Search vendor "Apache" for product "Tomcat" and version "4.1.37"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.38 Search vendor "Apache" for product "Tomcat" and version "4.1.38"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				4.1.39 Search vendor "Apache" for product "Tomcat" and version "4.1.39"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.0 Search vendor "Apache" for product "Tomcat" and version "5.5.0"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.1 Search vendor "Apache" for product "Tomcat" and version "5.5.1"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.2 Search vendor "Apache" for product "Tomcat" and version "5.5.2"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.3 Search vendor "Apache" for product "Tomcat" and version "5.5.3"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.4 Search vendor "Apache" for product "Tomcat" and version "5.5.4"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.5 Search vendor "Apache" for product "Tomcat" and version "5.5.5"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.6 Search vendor "Apache" for product "Tomcat" and version "5.5.6"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.7 Search vendor "Apache" for product "Tomcat" and version "5.5.7"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.8 Search vendor "Apache" for product "Tomcat" and version "5.5.8"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.9 Search vendor "Apache" for product "Tomcat" and version "5.5.9"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.10 Search vendor "Apache" for product "Tomcat" and version "5.5.10"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.11 Search vendor "Apache" for product "Tomcat" and version "5.5.11"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.12 Search vendor "Apache" for product "Tomcat" and version "5.5.12"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.13 Search vendor "Apache" for product "Tomcat" and version "5.5.13"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.14 Search vendor "Apache" for product "Tomcat" and version "5.5.14"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.15 Search vendor "Apache" for product "Tomcat" and version "5.5.15"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.16 Search vendor "Apache" for product "Tomcat" and version "5.5.16"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.17 Search vendor "Apache" for product "Tomcat" and version "5.5.17"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.18 Search vendor "Apache" for product "Tomcat" and version "5.5.18"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.19 Search vendor "Apache" for product "Tomcat" and version "5.5.19"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.20 Search vendor "Apache" for product "Tomcat" and version "5.5.20"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.21 Search vendor "Apache" for product "Tomcat" and version "5.5.21"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.22 Search vendor "Apache" for product "Tomcat" and version "5.5.22"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.23 Search vendor "Apache" for product "Tomcat" and version "5.5.23"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.24 Search vendor "Apache" for product "Tomcat" and version "5.5.24"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.25 Search vendor "Apache" for product "Tomcat" and version "5.5.25"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.26 Search vendor "Apache" for product "Tomcat" and version "5.5.26"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				5.5.27 Search vendor "Apache" for product "Tomcat" and version "5.5.27"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.0 Search vendor "Apache" for product "Tomcat" and version "6.0.0"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.1 Search vendor "Apache" for product "Tomcat" and version "6.0.1"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.2 Search vendor "Apache" for product "Tomcat" and version "6.0.2"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.3 Search vendor "Apache" for product "Tomcat" and version "6.0.3"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.4 Search vendor "Apache" for product "Tomcat" and version "6.0.4"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.5 Search vendor "Apache" for product "Tomcat" and version "6.0.5"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.6 Search vendor "Apache" for product "Tomcat" and version "6.0.6"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.7 Search vendor "Apache" for product "Tomcat" and version "6.0.7"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.8 Search vendor "Apache" for product "Tomcat" and version "6.0.8"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.9 Search vendor "Apache" for product "Tomcat" and version "6.0.9"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.10 Search vendor "Apache" for product "Tomcat" and version "6.0.10"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.11 Search vendor "Apache" for product "Tomcat" and version "6.0.11"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.12 Search vendor "Apache" for product "Tomcat" and version "6.0.12"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.13 Search vendor "Apache" for product "Tomcat" and version "6.0.13"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.14 Search vendor "Apache" for product "Tomcat" and version "6.0.14"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.15 Search vendor "Apache" for product "Tomcat" and version "6.0.15"		-		Affected
Apache Search vendor "Apache"		Tomcat Search vendor "Apache" for product "Tomcat"				6.0.16 Search vendor "Apache" for product "Tomcat" and version "6.0.16"		-		Affected