CVE-2011-2526Improper Input Validation in Apache Tomcat

CWE-20Improper Input Validation9 documents7 sources
Severity
4.4MEDIUMNVD
EPSS
0.1%
top 67.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJul 14
Latest updateMay 14

Description

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages1 packages

NVDapache/tomcat79 versions+78

Patches

Patch: svn.apache.orgPatch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

3
GHSA
Improper Input Validation in Apache Tomcat2022-05-14
OSV
Improper Input Validation in Apache Tomcat2022-05-14
CVEList
CVE-2011-2526: Apache Tomcat 52011-07-14

📋Vendor Advisories

2
Ubuntu
Tomcat vulnerabilities2011-11-08
Red Hat
tomcat: security manager restrictions bypass2011-07-13

💬Community

3
Bugzilla
CVE-2011-2526 tomcat5, tomcat6: Certain server files exposure and JVM crash via crafted web application running under security manager [fedora-all]2011-07-13
Bugzilla
CVE-2011-2526 tomcat5, tomcat6: Certain server files exposure and JVM crash via crafted web application running under security manager [fedora-all]2011-07-13
Bugzilla
CVE-2011-2526 tomcat: security manager restrictions bypass2011-07-13
CVE-2011-2526 — Improper Input Validation in Apache | cvebase