GoogleOSV:GHSA-VCH7-92VF-JM44Apache Tomcat does not follow ServletSecurity annotations
6.6 Medium
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
56.5%
Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.
References
mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%[email protected]%3E
marc.info/?l=tomcat-user&m=129966773405409&w=2
svn.apache.org/viewvc?view=revision&revision=1079752
tomcat.apache.org/security-7.html
exchange.xforce.ibmcloud.com/vulnerabilities/65971
exchange.xforce.ibmcloud.com/vulnerabilities/66154
github.com/apache/tomcat
github.com/apache/tomcat/commit/0ff4905158b77787a7f3aca55c9dec93456665dc
github.com/apache/tomcat/commit/3e5b0455483eed55752047073e92403bfca8d3ec
nvd.nist.gov/vuln/detail/CVE-2011-1419
web.archive.org/web/20110307182442/markmail.org/message/yzmyn44f5aetmm2r
web.archive.org/web/20110323002552/markmail.org/message/lzx5273wsgl5pob6
web.archive.org/web/20170202135440/www.securityfocus.com/bid/46685
Related
6.6 Medium
AI Score
Confidence
Low
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
56.5%