Moderate severityNVD Advisory· Published Dec 19, 2012· Updated Jun 16, 2026
CVE-2012-3546
CVE-2012-3546
Description
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 6.0.0, < 6.0.36 | 6.0.36 |
org.apache.tomcat:tomcatMaven | >= 7.0.0, < 7.0.30 | 7.0.30 |
Affected products
67cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*+ 65 more
- cpe:2.3:a:apache:tomcat:6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.9:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
Patches
Vulnerability mechanics
References
47- svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.javanvdPatchWEB
- svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xmlnvdPatchWEB
- tomcat.apache.org/security-6.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-7.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-jgm2-m5cg-f66gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2012-3546ghsaADVISORY
- lists.opensuse.org/opensuse-updates/2012-12/msg00089.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2012-12/msg00090.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2013-01/msg00037.htmlnvdWEB
- marc.infonvdWEB
- marc.infonvdWEB
- rhn.redhat.com/errata/RHSA-2013-0004.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0005.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0146.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0147.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0151.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0157.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0158.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0162.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0163.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0164.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0191.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0192.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0194.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0195.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0196.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0198.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0221.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0235.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0623.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0640.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0641.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2013-0642.htmlnvdWEB
- svn.apache.org/viewvcnvdWEB
- github.com/apache/tomcat/commit/f78c0cdfc8a3c2efdfe6df6b69e5e3daafa3f588ghsaWEB
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19305nvdWEB
- svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1377892ghsaWEB
- archives.neohapsis.com/archives/bugtraq/2012-12/0044.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0193.htmlnvd
- rhn.redhat.com/errata/RHSA-2013-0197.htmlnvd
- secunia.com/advisories/51984nvd
- secunia.com/advisories/52054nvd
- secunia.com/advisories/57126nvd
- www.securityfocus.com/bid/56812nvd
- www.securitytracker.com/idnvd
- www.ubuntu.com/usn/USN-1685-1nvd
- h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplaynvd
News mentions
0No linked articles in our index yet.