Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-d9ys-kxh6-nkgr
Vulnerability ID VCID-d9ys-kxh6-nkgr
Aliases CVE-2011-1184
GHSA-q9xf-jwr4-v445
Summary The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-264 Permissions, Privileges, and Access Controls
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
epss 0.02237 https://api.first.org/data/v1/epss?cve=CVE-2011-1184
apache_tomcat Moderate https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-q9xf-jwr4-v445
generic_textual MODERATE https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat55/commit/644dfdf96cf82fcd2a2046d93f2b5495f7e94584
generic_textual MODERATE https://github.com/apache/tomcat/commit/639e20992a66d7a42fb59c974db91c8a0f730a1e
generic_textual MODERATE https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2011-1184
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html
http://marc.info/?l=bugtraq&m=133469267822771&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://rhn.redhat.com/errata/RHSA-2012-0074.html
http://rhn.redhat.com/errata/RHSA-2012-0075.html
http://rhn.redhat.com/errata/RHSA-2012-0076.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-1184.json
https://api.first.org/data/v1/epss?cve=CVE-2011-1184
https://github.com/apache/tomcat
https://github.com/apache/tomcat55/commit/644dfdf96cf82fcd2a2046d93f2b5495f7e94584
https://github.com/apache/tomcat/commit/639e20992a66d7a42fb59c974db91c8a0f730a1e
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19169
https://svn.apache.org/viewvc?view=rev&rev=1087655
https://svn.apache.org/viewvc?view=rev&rev=1158180
https://svn.apache.org/viewvc?view=rev&rev=1159309
http://svn.apache.org/viewvc?view=rev&rev=1087655
http://svn.apache.org/viewvc?view=rev&rev=1158180
http://svn.apache.org/viewvc?view=rev&rev=1159309
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://www.debian.org/security/2012/dsa-2401
http://www.redhat.com/support/errata/RHSA-2011-1845.html
741401 https://bugzilla.redhat.com/show_bug.cgi?id=741401
CVE-2011-1184 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184
CVE-2011-1184 https://nvd.nist.gov/vuln/detail/CVE-2011-1184
GHSA-q9xf-jwr4-v445 https://github.com/advisories/GHSA-q9xf-jwr4-v445
GLSA-201206-24 https://security.gentoo.org/glsa/201206-24
RHSA-2011:1780 https://access.redhat.com/errata/RHSA-2011:1780
RHSA-2012:0041 https://access.redhat.com/errata/RHSA-2012:0041
RHSA-2012:0077 https://access.redhat.com/errata/RHSA-2012:0077
RHSA-2012:0078 https://access.redhat.com/errata/RHSA-2012:0078
RHSA-2012:0091 https://access.redhat.com/errata/RHSA-2012:0091
RHSA-2012:0325 https://access.redhat.com/errata/RHSA-2012:0325
RHSA-2012:0679 https://access.redhat.com/errata/RHSA-2012:0679
RHSA-2012:0680 https://access.redhat.com/errata/RHSA-2012:0680
RHSA-2012:0681 https://access.redhat.com/errata/RHSA-2012:0681
RHSA-2012:0682 https://access.redhat.com/errata/RHSA-2012:0682
USN-1252-1 https://usn.ubuntu.com/1252-1/
No exploits are available.
Exploit Prediction Scoring System (EPSS)
Percentile 0.84474
EPSS Score 0.02237
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:15.695086+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-7.html 38.0.0