CVE-2011-1419 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=7.0 <7.0.11

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.16103 pctl0.94544

Details

Apache Tomcat does not follow ServletSecurity annotations Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

Metadata

Created: 2022-05-17T02:00:34Z
Modified: 2024-01-19T19:29:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-vch7-92vf-jm44/GHSA-vch7-92vf-jm44.json
CWE IDs: ["CWE-284"]
Alternative ID: GHSA-vch7-92vf-jm44
Finding: F039
Auto approve: 1