Apache Tomcat protection bypass updated since 15.03.2011
Published:		17.05.2011
Source:		BUGTRAQ
SecurityVulns ID:		11503
Type:		library
Level:		5/10
Description:		@ServletSecurity parameters are ignored.

Affected:		APACHE : Tomcat 7.0
CVE:		CVE-2011-1582 (Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.)
		CVE-2011-1183 (Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.)
		CVE-2011-1088 (Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.)

Original document		APACHE, [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass (17.05.2011)
		APACHE, [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass (15.03.2011)

Discuss:

Read or add your comments to this news (0 comments)