CVE-2011-2481 — Sensitive Information Exposure in Apache Tomcat

CWE-200 — Sensitive Information Exposure6 documents6 sources

Severity

4.6MEDIUMNVD

CNA4.2GHSA4.2OSV4.2

EPSS

0.2%

top 52.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat

Timeline

PublishedAug 15

Latest updateMay 17

Description

Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.

CVSS vector

AV:L/AC:L/C:P/I:P/A:PExploitability: 3.9 | Impact: 6.4

Affected Packages1 packages

▶NVDapache/tomcat15 versions+14

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: tomcat.apache.org ↗

🔴Vulnerability Details

OSV

Apache Tomcat Allows Replacing of XML Parser↗2022-05-17

▶

GHSA

Apache Tomcat Allows Replacing of XML Parser↗2022-05-17

▶

CVEList

CVE-2011-2481: Apache Tomcat 7↗2011-08-15

▶

📋Vendor Advisories

Red Hat

Apache Tomcat CVE-2009-0783 regression↗2011-08-12

▶

💬Community

Bugzilla

CVE-2011-2481 Apache Tomcat CVE-2009-0783 regression↗2011-08-23

▶