CVE-2011-3190 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=7.0.0 <7.0.21 || >=6.0.0 <6.0.34 || >=5.0.0 <5.5.34

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00872 pctl0.74351

Details

Apache Tomcat Allows Remote Attackers to Spoof AJP Requests Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

Metadata

Created: 2022-05-14T01:17:02Z
Modified: 2024-02-21T22:10:43Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c38m-v4m2-524v/GHSA-c38m-v4m2-524v.json
CWE IDs: ["CWE-287"]
Alternative ID: GHSA-c38m-v4m2-524v
Finding: F039
Auto approve: 1