CVE-2011-1088Synchronous Access of Remote Resource without Timeout in Apache Tomcat

CWE-1088Synchronous Access of Remote Resource without TimeoutCWE-284Improper Access Control13 documents6 sources
Severity
5.8MEDIUMNVD
GHSA6.4
EPSS
16.4%
top 5.13%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedMar 14
Latest updateMay 17

Description

Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

NVDapache/tomcat10 versions+9

Patches

Patch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

7
GHSA
Apache Tomcat does not follow ServletSecurity annotations2022-05-17
OSV
Apache Tomcat allows remote attackers to bypass intended access restrictions2022-05-14
GHSA
Apache Tomcat allows remote attackers to bypass intended access restrictions2022-05-14
GHSA
Access restriction bypass in Apache Tomcat2022-05-14
GHSA
Access controll bypass in Apache Tomcat2022-05-14

📋Vendor Advisories

4
Red Hat
tomcat: various flaws due not following ServletSecurity annotations2011-03-02
Red Hat
tomcat: various flaws due not following ServletSecurity annotations2011-03-02
Red Hat
tomcat: various flaws due not following ServletSecurity annotations2011-03-02
Red Hat
tomcat: various flaws due not following ServletSecurity annotations2011-03-02

💬Community

1
Bugzilla
CVE-2011-1088 CVE-2011-1183 CVE-2011-1419 CVE-2011-1582 tomcat: various flaws due not following ServletSecurity annotations2011-05-30
CVE-2011-1088 — Apache Tomcat vulnerability | cvebase