CVE-2010-1157
Description
Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Tomcat leaks the server's hostname or IP address via the WWW-Authenticate realm field when BASIC or DIGEST authentication is used.
Vulnerability
Apache Tomcat versions 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 expose the server's hostname or IP address when a remote attacker sends a request for a resource protected by either BASIC or DIGEST authentication. The realm field in the WWW-Authenticate header contains the server's hostname or IP address. This affects all configurations where these authentication methods are enabled on a protected resource [1][2][3][4].
Exploitation
The attacker only needs network access to the Tomcat server and the ability to request a resource that requires BASIC or DIGEST authentication. No authentication or special privileges are needed. By sending an HTTP request for a protected resource, the server responds with a 401 Unauthorized status and includes a WWW-Authenticate header containing the realm value, which reveals the server's hostname or IP address [1][2][3][4].
Impact
An attacker can discover the Tomcat server's internal hostname or IP address, which may aid in network reconnaissance or help identify internal infrastructure. The information disclosure is limited to the hostname or IP address; no further compromise of the server is achieved [1][2][3][4].
Mitigation
Apache Tomcat 5.5.x and 6.0.x have reached end of life and are no longer supported. Users should upgrade to Tomcat 9.0.x or later to receive security fixes. For affected versions, no official patch is available; upgrading is the only recommended mitigation [1][2][3][4].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 5.5.0, < 5.5.30 | 5.5.30 |
org.apache.tomcat:tomcatMaven | >= 6.0.0, < 6.0.28 | 6.0.28 |
Affected products
54cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*+ 52 more
- cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
50- svn.apache.org/viewvcnvdPatch
- svn.apache.org/viewvcnvdPatch
- tomcat.apache.org/security-5.htmlnvdPatchVendor Advisory
- tomcat.apache.org/security-6.htmlnvdPatchVendor Advisory
- secunia.com/advisories/39574nvdVendor Advisory
- secunia.com/advisories/42368nvdVendor Advisory
- secunia.com/advisories/43310nvdVendor Advisory
- www.vupen.com/english/advisories/2010/0980nvdVendor Advisory
- www.vupen.com/english/advisories/2010/3056nvdVendor Advisory
- github.com/advisories/GHSA-w6q7-ww2x-7gm3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2010-1157ghsaADVISORY
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlghsaWEB
- lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.htmlghsaWEB
- marc.infoghsaWEB
- marc.infoghsaWEB
- marc.infoghsaWEB
- marc.infoghsaWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19492nvdWEB
- support.apple.com/kb/HT5002ghsaWEB
- svn.apache.org/viewvcghsaWEB
- svn.apache.org/viewvcghsaWEB
- tomcat.apache.org/security-5.htmlghsaWEB
- tomcat.apache.org/security-6.htmlghsaWEB
- www.debian.org/security/2011/dsa-2207ghsaWEB
- lists.apple.com/archives/Security-announce/2011//Oct/msg00003.htmlnvd
- lists.opensuse.org/opensuse-security-announce/2010-09/msg00006.htmlnvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- marc.infonvd
- secunia.com/advisories/57126nvd
- support.apple.com/kb/HT5002nvd
- www.debian.org/security/2011/dsa-2207nvd
- www.mandriva.com/security/advisoriesnvd
- www.mandriva.com/security/advisoriesnvd
- www.redhat.com/support/errata/RHSA-2011-0896.htmlnvd
- www.redhat.com/support/errata/RHSA-2011-0897.htmlnvd
- www.securityfocus.com/archive/1/510879/100/0/threadednvd
- www.securityfocus.com/archive/1/516397/100/0/threadednvd
- www.securityfocus.com/bid/39635nvd
- www.vmware.com/security/advisories/VMSA-2011-0003.htmlnvd
- www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.htmlnvd
News mentions
0No linked articles in our index yet.