CVE-2009-0580: Exposure of Sensitive Information to an Unauthorized Actor

May 2, 2022 (updated June 17, 2022)

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

References

github.com/advisories/GHSA-w227-xcfx-3pj8
nvd.nist.gov/vuln/detail/CVE-2009-0580

Code Behaviors & Features

Detect and mitigate CVE-2009-0580 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →