CVE-2011-1419 — Improper Access Control in Apache Tomcat

CWE-284 — Improper Access Control10 documents6 sources

Severity

5.8MEDIUMNVD

EPSS

16.1%

top 5.20%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedMar 14

Latest updateMay 17

Description

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

CVSS vector

AV:N/AC:M/C:P/I:P/A:NExploitability: 8.6 | Impact: 4.9

Affected Packages1 packages

▶NVDapache/tomcat11 versions+10

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

OSV

Apache Tomcat does not follow ServletSecurity annotations↗2022-05-17

▶

GHSA

Apache Tomcat does not follow ServletSecurity annotations↗2022-05-17

▶

GHSA

Access restriction bypass in Apache Tomcat↗2022-05-14

▶

GHSA

Access controll bypass in Apache Tomcat↗2022-05-14

▶

CVEList

CVE-2011-1419: Apache Tomcat 7↗2011-03-14

▶

📋Vendor Advisories

Red Hat

tomcat: various flaws due not following ServletSecurity annotations↗2011-03-02

▶

Red Hat

tomcat: various flaws due not following ServletSecurity annotations↗2011-03-02

▶

Red Hat

tomcat: various flaws due not following ServletSecurity annotations↗2011-03-02

▶

💬Community

Bugzilla

CVE-2011-1088 CVE-2011-1183 CVE-2011-1419 CVE-2011-1582 tomcat: various flaws due not following ServletSecurity annotations↗2011-05-30

▶