Computer Security
[EN] securityvulns.ru no-pyccku


Apache Tomcat protection bypass
updated since 15.03.2011
Published:17.05.2011
Source:
SecurityVulns ID:11503
Type:library
Threat Level:
5/10
Description:@ServletSecurity parameters are ignored.
Affected:APACHE : Tomcat 7.0
CVE:CVE-2011-1582 (Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.)
 CVE-2011-1183 (Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.)
 CVE-2011-1088 (Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.)
Original documentdocumentAPACHE, [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass (17.05.2011)
 documentAPACHE, [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass (15.03.2011)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod