cvelistv5 - cve-2011-1582

CVE-2011-1582 (GCVE-0-2011-1582)

Vulnerability from cvelistv5 – Published: 2011-05-20 22:00 – Updated: 2024-08-06 22:28

Summary

Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

Tags

	http://securityreason.com/securityalert/8256	third-party-advisoryx_refsource_SREASON
	http://www.securityfocus.com/archive/1/518032/100…	mailing-listx_refsource_BUGTRAQ
	http://mail-archives.apache.org/mod_mbox/www-anno…	mailing-listx_refsource_MLIST
	http://www.vupen.com/english/advisories/2011/1255	vdb-entryx_refsource_VUPEN
	http://svn.apache.org/viewvc?view=revision&revisi…	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/47886	vdb-entryx_refsource_BID
	https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
	http://tomcat.apache.org/security-7.html#Fixed_in…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T22:28:41.822Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "8256",
            "tags": [
              "third-party-advisory",
              "x_refsource_SREASON",
              "x_transferred"
            ],
            "url": "http://securityreason.com/securityalert/8256"
          },
          {
            "name": "20110517 [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded"
          },
          {
            "name": "[www-announce] 20110517 [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E"
          },
          {
            "name": "ADV-2011-1255",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2011/1255"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832"
          },
          {
            "name": "47886",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/47886"
          },
          {
            "name": "tomcat-annotations-security-bypass(67515)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2011-05-17T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "8256",
          "tags": [
            "third-party-advisory",
            "x_refsource_SREASON"
          ],
          "url": "http://securityreason.com/securityalert/8256"
        },
        {
          "name": "20110517 [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded"
        },
        {
          "name": "[www-announce] 20110517 [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E"
        },
        {
          "name": "ADV-2011-1255",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2011/1255"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832"
        },
        {
          "name": "47886",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/47886"
        },
        {
          "name": "tomcat-annotations-security-bypass(67515)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2011-1582",
    "datePublished": "2011-05-20T22:00:00",
    "dateReserved": "2011-04-05T00:00:00",
    "dateUpdated": "2024-08-06T22:28:41.822Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"05346F5A-FB52-4376-AAC7-9A5308216545\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.\"}, {\"lang\": \"es\", \"value\": \"Apache Tomcat v7.0.12 y v7.0.13 procesa la primera petici\\u00f3n a un servlet sin seguir las restricciones de seguridad que se han configurado a trav\\u00e9s de anotaciones, que permite a atacantes remotos evitar las restricciones de acceso previstas a trav\\u00e9s de peticiones HTTP. NOTA: esta vulnerabilidad existe debido a una soluci\\u00f3n incompleta para CVE-2011-1088, CVE-2011-1183, y CVE-2011-1419.\"}]",
      "id": "CVE-2011-1582",
      "lastModified": "2024-11-21T01:26:39.047",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:N/I:P/A:N\", \"baseScore\": 4.3, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2011-05-20T22:55:03.750",
      "references": "[{\"url\": \"http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://securityreason.com/securityalert/8256\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://svn.apache.org/viewvc?view=revision\u0026revision=1100832\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/518032/100/0/threaded\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/47886\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2011/1255\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/67515\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://securityreason.com/securityalert/8256\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://svn.apache.org/viewvc?view=revision\u0026revision=1100832\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/archive/1/518032/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/47886\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2011/1255\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/67515\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2011-1582\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2011-05-20T22:55:03.750\",\"lastModified\":\"2025-04-11T00:51:21.963\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.\"},{\"lang\":\"es\",\"value\":\"Apache Tomcat v7.0.12 y v7.0.13 procesa la primera petici\u00f3n a un servlet sin seguir las restricciones de seguridad que se han configurado a trav\u00e9s de anotaciones, que permite a atacantes remotos evitar las restricciones de acceso previstas a trav\u00e9s de peticiones HTTP. NOTA: esta vulnerabilidad existe debido a una soluci\u00f3n incompleta para CVE-2011-1088, CVE-2011-1183, y CVE-2011-1419.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"baseScore\":4.3,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"05346F5A-FB52-4376-AAC7-9A5308216545\"}]}]}],\"references\":[{\"url\":\"http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://securityreason.com/securityalert/8256\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://svn.apache.org/viewvc?view=revision\u0026revision=1100832\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/archive/1/518032/100/0/threaded\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/47886\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/1255\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/67515\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securityreason.com/securityalert/8256\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://svn.apache.org/viewvc?view=revision\u0026revision=1100832\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/archive/1/518032/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/47886\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.vupen.com/english/advisories/2011/1255\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/67515\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

CERTA-2011-AVI-301

Vulnerability from certfr_avis - Published: - Updated:

Un vulnérabilité permettant d'accéder à des données sensibles a été découverte dans Apache Tomcat.

Description

Une vulnérabilité est présente dans Apache Tomcat. Les contraintes de sécurité configurées via les annotations ne sont pas prises en compte lors de la première requête effectuée vers une appliquette (servlet). Un utilisateur malintentionné pourrait se servir de cette faille pour obtenir des informations sensibles.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Apache Tomcat versions antérieures à 7.0.14.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Notes de mise à jour Apache Tomcat du 12 mai 2011	None	vendor-advisory
Notes de mise à jour Apache Tomcat:	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eApache Tomcat versions ant\u00e9rieures \u00e0  7.0.14.\u003c/p\u003e",
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 est pr\u00e9sente dans Apache Tomcat. Les contraintes de\ns\u00e9curit\u00e9 configur\u00e9es via les annotations ne sont pas prises en compte\nlors de la premi\u00e8re requ\u00eate effectu\u00e9e vers une appliquette (servlet). Un\nutilisateur malintentionn\u00e9 pourrait se servir de cette faille pour\nobtenir des informations sensibles.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-1582",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1582"
    }
  ],
  "links": [
    {
      "title": "Notes de mise \u00e0 jour Apache    Tomcat:",
      "url": "http://tomcat.apache.org/security-7.html"
    }
  ],
  "reference": "CERTA-2011-AVI-301",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-05-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Un vuln\u00e9rabilit\u00e9 permettant d\u0027acc\u00e9der \u00e0 des donn\u00e9es sensibles a \u00e9t\u00e9\nd\u00e9couverte dans \u003cspan class=\"textit\"\u003eApache Tomcat\u003c/span\u003e.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Apache Tomcat",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Notes de mise \u00e0 jour Apache Tomcat du 12 mai 2011",
      "url": null
    }
  ]
}

CERTA-2011-AVI-301

Vulnerability from certfr_avis - Published: - Updated:

Un vulnérabilité permettant d'accéder à des données sensibles a été découverte dans Apache Tomcat.

Description

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Apache Tomcat versions antérieures à 7.0.14.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Notes de mise à jour Apache Tomcat du 12 mai 2011	None	vendor-advisory
Notes de mise à jour Apache Tomcat:	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cp\u003eApache Tomcat versions ant\u00e9rieures \u00e0  7.0.14.\u003c/p\u003e",
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 est pr\u00e9sente dans Apache Tomcat. Les contraintes de\ns\u00e9curit\u00e9 configur\u00e9es via les annotations ne sont pas prises en compte\nlors de la premi\u00e8re requ\u00eate effectu\u00e9e vers une appliquette (servlet). Un\nutilisateur malintentionn\u00e9 pourrait se servir de cette faille pour\nobtenir des informations sensibles.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2011-1582",
      "url": "https://www.cve.org/CVERecord?id=CVE-2011-1582"
    }
  ],
  "links": [
    {
      "title": "Notes de mise \u00e0 jour Apache    Tomcat:",
      "url": "http://tomcat.apache.org/security-7.html"
    }
  ],
  "reference": "CERTA-2011-AVI-301",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2011-05-19T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Un vuln\u00e9rabilit\u00e9 permettant d\u0027acc\u00e9der \u00e0 des donn\u00e9es sensibles a \u00e9t\u00e9\nd\u00e9couverte dans \u003cspan class=\"textit\"\u003eApache Tomcat\u003c/span\u003e.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Apache Tomcat",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Notes de mise \u00e0 jour Apache Tomcat du 12 mai 2011",
      "url": null
    }
  ]
}

GSD-2011-1582

Vulnerability from gsd - Updated: 2023-12-13 01:19

Details

Aliases

CVE-2011-1582

Aliases

CVE-2011-1582

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2011-1582",
    "description": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.",
    "id": "GSD-2011-1582"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2011-1582"
      ],
      "details": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.",
      "id": "GSD-2011-1582",
      "modified": "2023-12-13T01:19:08.054849Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2011-1582",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E",
            "refsource": "MISC",
            "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E"
          },
          {
            "name": "http://securityreason.com/securityalert/8256",
            "refsource": "MISC",
            "url": "http://securityreason.com/securityalert/8256"
          },
          {
            "name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832",
            "refsource": "MISC",
            "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832"
          },
          {
            "name": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29",
            "refsource": "MISC",
            "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29"
          },
          {
            "name": "http://www.securityfocus.com/archive/1/518032/100/0/threaded",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded"
          },
          {
            "name": "http://www.securityfocus.com/bid/47886",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/47886"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2011/1255",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2011/1255"
          },
          {
            "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515",
            "refsource": "MISC",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "[7.0.12,7.0.14)",
          "affected_versions": "All versions starting from 7.0.12 before 7.0.14",
          "cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-264",
            "CWE-937"
          ],
          "date": "2023-02-14",
          "description": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.",
          "fixed_versions": [
            "7.0.14"
          ],
          "identifier": "CVE-2011-1582",
          "identifiers": [
            "GHSA-3xpj-jgv5-q4vv",
            "CVE-2011-1582"
          ],
          "not_impacted": "All versions before 7.0.12, all versions starting from 7.0.14",
          "package_slug": "maven/org.apache.tomcat/tomcat",
          "pubdate": "2022-05-14",
          "solution": "Upgrade to version 7.0.14 or above.",
          "title": "Access restriction bypass in Apache Tomcat",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2011-1582",
            "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515",
            "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103@apache.org%3E",
            "http://securityreason.com/securityalert/8256",
            "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832",
            "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29",
            "http://www.securityfocus.com/archive/1/518032/100/0/threaded",
            "http://www.securityfocus.com/bid/47886",
            "http://www.vupen.com/english/advisories/2011/1255",
            "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E",
            "https://github.com/advisories/GHSA-3xpj-jgv5-q4vv"
          ],
          "uuid": "22a6e371-fe6a-4150-a259-a3c6d1c9ee26"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2011-1582"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-264"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "ADV-2011-1255",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2011/1255"
            },
            {
              "name": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832"
            },
            {
              "name": "47886",
              "refsource": "BID",
              "tags": [
                "Patch"
              ],
              "url": "http://www.securityfocus.com/bid/47886"
            },
            {
              "name": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29",
              "refsource": "CONFIRM",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29"
            },
            {
              "name": "8256",
              "refsource": "SREASON",
              "tags": [],
              "url": "http://securityreason.com/securityalert/8256"
            },
            {
              "name": "tomcat-annotations-security-bypass(67515)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515"
            },
            {
              "name": "20110517 [SECURITY] CVE-2011-1582 Apache Tomcat security constraint bypass",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded"
            },
            {
              "name": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T01:19Z",
      "publishedDate": "2011-05-20T22:55Z"
    }
  }
}

GHSA-3XPJ-JGV5-Q4VV

Vulnerability from github – Published: 2022-05-14 02:55 – Updated: 2024-02-21 21:26

Summary

Access restriction bypass in Apache Tomcat

Details

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.tomcat:tomcat"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.12"
            },
            {
              "fixed": "7.0.14"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2011-1582"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-14T01:01:49Z",
    "nvd_published_at": "2011-05-20T22:55:00Z",
    "severity": "MODERATE"
  },
  "details": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419.",
  "id": "GHSA-3xpj-jgv5-q4vv",
  "modified": "2024-02-21T21:26:08Z",
  "published": "2022-05-14T02:55:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1582"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/tomcat/commit/299b26af66793438c323ea6b18462fa44683080f"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/tomcat"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20111110135226/http://www.securityfocus.com/archive/1/518032/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "https://web.archive.org/web/20170202135510/http://www.securityfocus.com/bid/47886"
    },
    {
      "type": "WEB",
      "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103@apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "http://securityreason.com/securityalert/8256"
    },
    {
      "type": "WEB",
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Access restriction bypass in Apache Tomcat"
}

FKIE_CVE-2011-1582

Vulnerability from fkie_nvd - Published: 2011-05-20 22:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E
secalert@redhat.com	http://securityreason.com/securityalert/8256
secalert@redhat.com	http://svn.apache.org/viewvc?view=revision&revision=1100832	Patch
secalert@redhat.com	http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29	Vendor Advisory
secalert@redhat.com	http://www.securityfocus.com/archive/1/518032/100/0/threaded
secalert@redhat.com	http://www.securityfocus.com/bid/47886	Patch
secalert@redhat.com	http://www.vupen.com/english/advisories/2011/1255	Vendor Advisory
secalert@redhat.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/67515
af854a3a-2127-422b-91ae-364da2661108	http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	http://securityreason.com/securityalert/8256
af854a3a-2127-422b-91ae-364da2661108	http://svn.apache.org/viewvc?view=revision&revision=1100832	Patch
af854a3a-2127-422b-91ae-364da2661108	http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/518032/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/47886	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2011/1255	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/67515

Impacted products

	Vendor	Product	Version
	apache	tomcat	7.0.12
	apache	tomcat	7.0.13

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "2BA27FF9-4C66-4E17-95C0-1CB2DAA6AFC8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "05346F5A-FB52-4376-AAC7-9A5308216545",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests.  NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419."
    },
    {
      "lang": "es",
      "value": "Apache Tomcat v7.0.12 y v7.0.13 procesa la primera petici\u00f3n a un servlet sin seguir las restricciones de seguridad que se han configurado a trav\u00e9s de anotaciones, que permite a atacantes remotos evitar las restricciones de acceso previstas a trav\u00e9s de peticiones HTTP. NOTA: esta vulnerabilidad existe debido a una soluci\u00f3n incompleta para CVE-2011-1088, CVE-2011-1183, y CVE-2011-1419."
    }
  ],
  "id": "CVE-2011-1582",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 4.3,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2011-05-20T22:55:03.750",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://securityreason.com/securityalert/8256"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/47886"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2011/1255"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201105.mbox/%3C4DD26E30.2060103%40apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securityreason.com/securityalert/8256"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://svn.apache.org/viewvc?view=revision\u0026revision=1100832"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/518032/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/47886"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2011/1255"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/67515"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-264"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2011-1582 (GCVE-0-2011-1582)

CERTA-2011-AVI-301

Description

Solution

CERTA-2011-AVI-301

Description

Solution

GSD-2011-1582

GHSA-3XPJ-JGV5-Q4VV

FKIE_CVE-2011-1582

Tags

Sightings

Nomenclature