CVE-2011-3190 — Improper Authentication in Apache Tomcat

CWE-264CWE-287 — Improper Authentication9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.9%
top 24.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedAug 31
Latest updateMay 14

Description

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

â–¶NVDapache/tomcat84 versions+83

🔴Vulnerability Details

3
GHSA
Apache Tomcat Allows Remote Attackers to Spoof AJP Requests↗2022-05-14
â–¶
OSV
Apache Tomcat Allows Remote Attackers to Spoof AJP Requests↗2022-05-14
â–¶
CVEList
CVE-2011-3190: Certain AJP protocol connector implementations in Apache Tomcat 7↗2011-08-31
â–¶

📋Vendor Advisories

2
Ubuntu
Tomcat vulnerabilities↗2011-11-08
â–¶
Red Hat
tomcat: authentication bypass and information disclosure↗2011-08-20
â–¶

💬Community

3
Bugzilla
CVE-2011-3190 tomcat: authentication bypass and information disclosure [fedora-all]↗2011-09-15
â–¶
Bugzilla
CVE-2011-3190 tomcat: authentication bypass and information disclosure [fedora-16]↗2011-09-15
â–¶
Bugzilla
CVE-2011-3190 tomcat: authentication bypass and information disclosure↗2011-08-31
â–¶
CVE-2011-3190 — Improper Authentication in Apache | cvebase