Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
CVE-2009-0580
Score elevated to 9.0 because EPSS predicts 88% probability of exploitation within the next 30 days (top 0.5% of all CVEs). Confidence: see factors.
- 59 internet-exposed hosts are running an affected version right now
- High exploitation likelihood — EPSS 94%
A fix is available — apply it.
59 internet-exposed hosts are running an affected version of CVE-2009-0580 right now.
EchelonGraph is the only CVE feed that fuses live vulnerability intelligence with its own live internet-exposure radar — so you see not just that a CVE is exploited, but how much of the internet is exposed to it right now.
- CVSS v3
- —
- EG Score
- 9.0(low)
- EPSS
- 99.8%
- KEV
- Not listed
Published
June 5, 2009
Last Modified
April 23, 2026
References (98)
- secalert@redhathttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- secalert@redhathttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
- secalert@redhathttp://marc.info/?l=bugtraq&m=127420533226623&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=129070310906557&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=133469267822771&w=2
- secalert@redhathttp://marc.info/?l=bugtraq&m=136485229118404&w=2
- secalert@redhathttp://secunia.com/advisories/35326
- secalert@redhathttp://secunia.com/advisories/35344
- secalert@redhathttp://secunia.com/advisories/35685
- secalert@redhathttp://secunia.com/advisories/35788
- secalert@redhathttp://secunia.com/advisories/37460
- secalert@redhathttp://secunia.com/advisories/42368
- secalert@redhathttp://securitytracker.com/id?1022332
- secalert@redhathttp://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
- secalert@redhathttp://support.apple.com/kb/HT4077
Vendor Advisories for CVE-2009-0580(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Patch Availability(10)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | tomcat6-examples (6.0.18-0ubuntu6.1) @ jaunty | 2026-05-30 | ubuntu |
| redhat | xml-commons-0:1.3.02-2jpp_1rh | 2010-08-04 | redhat |
| redhat | tomcat5-0:5.5.23-0jpp_18rh | 2009-11-30 | redhat |
| redhat | tomcat5-0:5.5.23-0jpp_4rh.16 | 2009-11-09 | redhat |
| redhat | tomcat6-0:6.0.18-12.0.ep5.el5 | 2009-10-14 | redhat |
| redhat | tomcat5-0:5.5.23-0jpp.9.6.ep5.el5 | 2009-09-21 | redhat |
| redhat | tomcat5-0:5.5.23-0jpp.7.el5_3.2 | 2009-07-21 | redhat |
| redhat | xerces-j2-0:2.7.1-9jpp.ep1.2.el4 | 2009-07-06 | redhat |
| redhat | rh-eap-docs-0:4.3.0-5.GA_CP05.ep1.2.1.el5 | 2009-07-06 | redhat |
| redhat | rh-eap-docs-0:4.2.0-5.GA_CP07.ep1.1.1.el5 | 2009-07-06 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(1 across 1 ecosystem)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.apache.tomcat:tomcat | — | 6.0.19 | — |
Additional Vendor Advisories
(11)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2009:1143LOW2009-06-03
RHSA-2009:1143 — Low
- Red HatRHSA-2009:1144LOW2009-06-03
RHSA-2009:1144 — Low
- Red HatRHSA-2009:1145LOW2009-06-03
RHSA-2009:1145 — Low
- Red HatRHSA-2009:1146LOW2009-06-03
RHSA-2009:1146 — Low
- Red HatRHSA-2009:1164LOW2009-06-03
RHSA-2009:1164 — Low
- Red HatRHSA-2009:1454LOW2009-06-03
RHSA-2009:1454 — Low
- Red HatRHSA-2009:1506LOW2009-06-03
RHSA-2009:1506 — Low
- Red HatRHSA-2009:1562LOW2009-06-03
RHSA-2009:1562 — Low
- Red HatRHSA-2009:1563LOW2009-06-03
RHSA-2009:1563 — Low
- Red HatRHSA-2009:1616LOW2009-06-03
RHSA-2009:1616 — Low
- UbuntuUSN-788-1LOW
Tomcat vulnerabilities
Data Freshness Timeline
(refreshed 1× in last 7d / 14× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
- 2026-07-01 15:02 UTCEPSS rescore
- 2026-06-30 23:19 UTCEPSS rescore
- 2026-06-25 13:46 UTCEPSS rescore
- 2026-06-25 13:46 UTCEPSS rescore
- 2026-06-23 21:29 UTCEPSS rescore
- 2026-06-23 21:29 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-18 17:49 UTCEPSS rescore
- 2026-06-15 17:44 UTCEPSS rescore
- 2026-06-14 23:14 UTCEPSS rescore
- 2026-06-14 23:14 UTCEPSS rescore
- 2026-06-13 22:57 UTCEPSS rescore
- 2026-06-10 22:14 UTCEPSS rescore
- 2026-06-10 13:17 UTCEPSS rescore
- 2026-06-07 15:22 UTCEPSS rescore
- 2026-06-07 15:22 UTCEPSS rescore
- 2026-06-06 13:44 UTCEPSS rescore
- 2026-06-06 13:44 UTCEPSS rescore
- 2026-06-06 13:44 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 22:44 UTCEPSS rescore
- 2026-06-05 06:07 UTCEPSS rescore
- 2026-05-30 16:39 UTCEG score recompute
- 2026-05-30 16:39 UTCVendor advisory
- 2026-05-29 13:40 UTCEPSS rescore
Show 13 moreShow fewer
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-28 13:42 UTCEPSS rescore
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-26 13:41 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-26 07:16 UTCEPSS rescore
- 2026-05-24 16:43 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-22 21:15 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-20 22:37 UTCEPSS rescore
- 2026-05-18 21:29 UTCEPSS rescore
Publicly available exploits
(2 references)Working exploit code is in the public domain (1 Metasploit module) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Exploit-DBEDB-33023✓ verifiedFirst seen Jun 3, 2009
Apache Tomcat 6.0.18 - Form Authentication Existing/Non-Existing 'Username' Enumeration
Open source ↗ - Metasploitauxiliary/scanner/http/tomcat_enum✓ verifiedFirst seen Jan 1, 2009
Apache Tomcat User Enumeration
Open source ↗
Frequently asked(4)
What is CVE-2009-0580?
When was CVE-2009-0580 disclosed?
Is CVE-2009-0580 actively exploited?
How do I remediate CVE-2009-0580?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2009-0580
Is Your Infrastructure Affected by CVE-2009-0580?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.