Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.
marc.info/?l=bugtraq&m=132215163318824&w=2
marc.info/?l=bugtraq&m=133469267822771&w=2
marc.info/?l=bugtraq&m=136485229118404&w=2
marc.info/?l=bugtraq&m=139344343412337&w=2
svn.apache.org/viewvc?view=revision&revision=1145383
svn.apache.org/viewvc?view=revision&revision=1145571
svn.apache.org/viewvc?view=revision&revision=1145694
svn.apache.org/viewvc?view=revision&revision=1146005
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
www.debian.org/security/2012/dsa-2401
www.mandriva.com/security/advisories?name=MDVSA-2011:156
access.redhat.com/errata/RHSA-2012:0074
access.redhat.com/errata/RHSA-2012:0075
access.redhat.com/errata/RHSA-2012:0076
bugzilla.redhat.com/show_bug.cgi?id=720948
exchange.xforce.ibmcloud.com/vulnerabilities/68541
github.com/apache/tomcat/commit/1d372c881eafd9ffe729996f8560fd5fe50cd39d
github.com/apache/tomcat/commit/2e69497fa7b1444632c6dadb64a4a82e18478ee6
github.com/apache/tomcat/commit/48dded4ab1209a030770ab67a789d3b2528b6329
github.com/apache/tomcat/commit/ff8789737a0a64c12d68929497f16d8021052048
github.com/apache/tomcat55/commit/e67f6882118f2a8285e4e8acd050dad64a3ef3e4
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2011-2526
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14573
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19514
web.archive.org/web/20110717104325/www.securityfocus.com/bid/48667
web.archive.org/web/20111110135231/www.securityfocus.com/archive/1/518889/100/0/threaded
web.archive.org/web/20121025191346/secunia.com/advisories/45232
web.archive.org/web/20140802025928/secunia.com/advisories/48308
web.archive.org/web/20151017023138/secunia.com/advisories/57126
web.archive.org/web/20160101172212/rhn.redhat.com/errata/RHSA-2012-0078.html
web.archive.org/web/20160101172638/rhn.redhat.com/errata/RHSA-2012-0077.html
web.archive.org/web/20160101195415/rhn.redhat.com/errata/RHSA-2012-0325.html
web.archive.org/web/20161107143207/www.securitytracker.com/id?1025788