Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2011-1419

Overview

Vulnerability Score 5.8 5.8
CVE Id CVE-2011-1419
Last Modified 21 Sep 2011 11:30:12
Published 14 Mar 2011 03:55:02
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2011-1419

Summary

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

Vulnerable Systems

Application

  • Apache Tomcat 7.0.0

  • Apache Tomcat 7.0.1

  • Apache Tomcat 7.0.10

  • Apache Tomcat 7.0.2

  • Apache Tomcat 7.0.3

  • Apache Tomcat 7.0.4

  • Apache Tomcat 7.0.5

  • Apache Tomcat 7.0.6

  • Apache Tomcat 7.0.7

  • Apache Tomcat 7.0.8

  • Apache Tomcat 7.0.9


References

CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1079752

XF - apache-servletsecurity-sec-bypass(66154)

XF - tomcat-servletsecurity-sec-bypass(65971)

VUPEN - ADV-2011-0563

BID - 46685

OSVDB - 71027

CONFIRM - http://tomcat.apache.org/security-7.html

SREASON - 8131

SECUNIA - 43684

MLIST - [users] 20110302 Re: @DenyAll does nothing

MLIST - [users] 20110309 [SECURITY] Tomcat 7 ignores @ServletSecurity annotations

MLIST - [announce] 20110302 [SECURITY] Tomcat 7 ignores @ServletSecurity annotations


Last Updated: 27 May 2016 10:56:18