VYPR
← All advisories
Moderate severityNVD Advisory· Published Jun 5, 2009· Updated Apr 23, 2026

CVE-2009-0580

CVE-2009-0580

Description

Apache Tomcat with FORM authentication allows remote attackers to enumerate valid usernames via malformed password encoding in /j_security_check requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat with FORM authentication allows remote attackers to enumerate valid usernames via malformed password encoding in `/j_security_check` requests.

Vulnerability

Apache Tomcat versions 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 are affected when FORM authentication is enabled [1][4]. The vulnerability resides in the MemoryRealm, DataSourceRealm, and JDBCRealm authentication realms, which improperly handle malformed URL encoding of the j_password parameter during login requests to /j_security_check. A specially crafted request with a percent (%) value for j_password triggers an error that reveals whether the submitted username is valid.

Exploitation

An attacker with network access to the Tomcat server can send HTTP requests to /j_security_check with a malformed j_password parameter (e.g., j_password=%). No authentication or prior access is required. The server's response differs based on whether the username exists, allowing the attacker to enumerate valid usernames by observing the error or redirect behavior.

Impact

Successful exploitation enables an attacker to enumerate valid usernames on the Tomcat server. This information disclosure can be leveraged for targeted brute-force attacks or social engineering. The vulnerability does not directly lead to code execution or privilege escalation, but it weakens authentication security.

Mitigation

Tomcat 6.0.x has reached end of life and is no longer supported; users should upgrade to Tomcat 9.0.x or later to receive security fixes [1]. For older branches (4.1.x and 5.5.x), no patches are available as they are also end-of-life. The recommended mitigation is to upgrade to a supported Tomcat version.

References
  1. Apache Tomcat® - Apache Tomcat 6 vulnerabilities
  2. NVD - CVE-2009-0580

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 4.1.0, < 4.1.404.1.40
org.apache.tomcat:tomcatMaven
>= 5.0.0, < 5.5.285.5.28
org.apache.tomcat:tomcatMaven
>= 6.0.0, < 6.0.196.0.19

Affected products

88
  • Apache/Tomcat87 versions
    cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*+ 86 more
    • cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.32:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.33:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.34:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.35:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.37:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.38:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.39:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:maven/org.apache.tomcat/tomcat
    Range: >= 4.1.0, < 4.1.40

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

71

News mentions

0

No linked articles in our index yet.