ID CVE-2011-1183
Summary Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.
References
Vulnerable Configurations
  • cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
    cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
CVSS
Base: 5.8 (as of 09-10-2018 - 19:30)
Impact:
Exploitability:
CWE NVD-CWE-Other
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL NONE
cvss-vector via4 AV:N/AC:M/Au:N/C:P/I:P/A:N
oval via4
accepted 2011-06-13T04:00:13.294-04:00
class vulnerability
contributors
name SecPod Team
organization SecPod Technologies
definition_extensions
comment Apache Tomcat is installed
oval oval:org.mitre.oval:def:12401
description Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.
family windows
id oval:org.mitre.oval:def:12701
status accepted
submitted 2011-05-04T09:29:28-05:00
title Security bypass vulnerability in Apache Tomcat 7.0.11
version 4
refmap via4
bid 47196
bugtraq 20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass
confirm
fulldisc 20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass
sreason 8187
xf tomcat-webxml-security-bypass(66675)
Last major update 09-10-2018 - 19:30
Published 08-04-2011 - 15:17
Last modified 09-10-2018 - 19:30
Back to Top