5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.003 Low
EPSS
Percentile
69.5%
Important: Information disclosure CVE-2011-1475
Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible.
This was fixed in revisions 1086349 and 1086352. (Note: HTTP pipelined requests are still likely to fail with the HTTP BIO connector but will do so in a secure manner.)
This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar 2011.
Affects: 7.0.0-7.0.11
Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184
Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064. The Apache Tomcat security team will continue to treat this as a single issue using the reference CVE-2011-1184.
The implementation of HTTP DIGEST authentication was discovered to have several weaknesses:
The result of these weaknesses is that DIGEST authentication was only as secure as BASIC authentication.
This was fixed in revision 1087655.
This was identified by the Tomcat security team on 16 March 2011 and made public on 26 September 2011.
Affects: 7.0.0-7.0.11
Important: Security constraint bypass CVE-2011-1183
A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete.
This was fixed in revision 1087643.
This was identified by the Tomcat security team on 17 March 2011 and made public on 6 April 2011.
Affects: 7.0.11
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat | ge | 7.0.0 | |
apache tomcat | eq | 7.0.11 | |
apache tomcat | le | 7.0.11 |