CVE-2011-3376Apache Tomcat vulnerability

CWE-2645 documents5 sources
Severity
4.4MEDIUMNVD
EPSS
0.3%
top 46.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedNov 11
Latest updateMay 17

Description

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager application's functionality.

CVSS vector

AV:L/AC:M/C:P/I:P/A:PExploitability: 3.4 | Impact: 6.4

Affected Packages1 packages

NVDapache/tomcat22 versions+21

Patches

Patch: svn.apache.orgPatch: svn.apache.org

🔴Vulnerability Details

2
GHSA
GHSA-cw29-r48c-h5f9: org/apache/catalina/core/DefaultInstanceManager2022-05-17
CVEList
CVE-2011-3376: org/apache/catalina/core/DefaultInstanceManager2011-11-11

📋Vendor Advisories

1
Red Hat
tomcat: Privilege escalation via the Manager application2011-10-01

💬Community

1
Bugzilla
CVE-2011-3376 tomcat: Privilege escalation via the Manager application2011-11-09
CVE-2011-3376 — Apache Tomcat vulnerability | cvebase