CVE-2011-1419

Current Description

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

Referenced by CVEs:CVE-2011-1183, CVE-2011-1582

Basic Data

PublishedMarch 14, 2011
Last ModifiedAugust 17, 2017
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-Other
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score5.8
SeverityMEDIUM
Exploitability Score8.6
Impact Score4.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationApacheTomcat7.0.0*******
    2.3ApplicationApacheTomcat7.0.0beta******
    2.3ApplicationApacheTomcat7.0.1*******
    2.3ApplicationApacheTomcat7.0.2*******
    2.3ApplicationApacheTomcat7.0.3*******
    2.3ApplicationApacheTomcat7.0.4*******
    2.3ApplicationApacheTomcat7.0.5*******
    2.3ApplicationApacheTomcat7.0.6*******
    2.3ApplicationApacheTomcat7.0.7*******
    2.3ApplicationApacheTomcat7.0.8*******
    2.3ApplicationApacheTomcat7.0.9*******
    2.3ApplicationApacheTomcat7.0.10*******

Vulnerable Software List

VendorProductVersions
Apache Tomcat 7.0.0, 7.0.1, 7.0.10, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9

References

NameSourceURLTags
[announce] 20110302 [SECURITY] Tomcat 7 ignores @ServletSecurity annotationshttp://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3EMLIST
[users] 20110309 [SECURITY] Tomcat 7 ignores @ServletSecurity annotationshttp://marc.info/?l=tomcat-user&m=129966773405409&w=2MLIST
[users] 20110302 Re: @DenyAll does nothinghttp://markmail.org/message/lzx5273wsgl5pob6MLIST
[users] 20110302 Re: @DenyAll does nothinghttp://markmail.org/message/yzmyn44f5aetmm2rMLIST
43684http://secunia.com/advisories/43684SECUNIAVendor Advisory
8131http://securityreason.com/securityalert/8131SREASON
http://svn.apache.org/viewvc?view=revision&revision=1079752http://svn.apache.org/viewvc?view=revision&revision=1079752CONFIRMPatch
http://tomcat.apache.org/security-7.htmlhttp://tomcat.apache.org/security-7.htmlCONFIRM
71027http://www.osvdb.org/71027OSVDB
46685http://www.securityfocus.com/bid/46685BID
ADV-2011-0563http://www.vupen.com/english/advisories/2011/0563VUPENVendor Advisory
tomcat-servletsecurity-sec-bypass(65971)https://exchange.xforce.ibmcloud.com/vulnerabilities/65971XF
apache-servletsecurity-sec-bypass(66154)https://exchange.xforce.ibmcloud.com/vulnerabilities/66154XF