CVE-2009-0580

medium

Apache

CVSS v3 Base Score

4.3

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS Score

88.2%

Exploitation probability in 30 days

Top 1% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Confidentiality

Integrity

None

Availability

None

Published: June 5, 2009 (6187 days ago)

Last Modified: April 23, 2026

Vendor: Apache

Source: NVD

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.

CWE

CWE-200

Affected Products

apache tomcat

References

🔗 lists.apple.com 🔗 lists.opensuse.org 🔗 marc.info 🔗 marc.info 🔗 marc.info

CVE-2009-0580

Vulnerability Report

Description

CWE

Affected Products

References