CVE-2011-3375 Description Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3375 http://seclists.org/fulldisclosure/2012/Jan/236 Project Category n/a Tags data operational Date Disclosed 2012-01-19 Date Discovered 2011-08-30 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-2526 Description Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2526 http://www.securityfocus.com/archive/1/archive/1/518889/100/0/threaded Project Category n/a Tags data functional other Date Disclosed 2011-07-14 Date Discovered 2011-06-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-2481 Description Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2481 https://tomcat.apache.org/security-7.html https://seclists.org/fulldisclosure/2011/Aug/106 Project Category n/a Tags data operational Date Disclosed 2011-08-15 Date Discovered 2011-06-15 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? …
Read More
CVE-2011-2204 Description Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2204 http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2204 Project Category n/a Tags data configuration Date Disclosed 2011-06-29 Date Discovered 2011-05-31 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-1582 Description Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1582 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.14_%28released_12_May_2011%29 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1582 Project Category n/a Tags data functional Date Disclosed 2011-05-20 Date Discovered 2011-04-05 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-1475 Description The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1475 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.12 https://bz.apache.org/bugzilla/show_bug.cgi?id=50957 Project Category n/a Tags data Date Disclosed 2011-04-08 Date Discovered 2011-03-21 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-1419 Description Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating…
Read More
CVE-2011-1411 Description Shibboleth OpenSAML library 2.4.x before 2.4.3 and 2.5.x before 2.5.1, and IdP before 2.3.2, allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack." Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1411 https://github.com/apigee/java-opensaml2/commit/77b2f4f002683189b036101746a34b7d6d461428#diff-b375b7c642e6ab1ab0e0ad9fa6dad433R88 Project Category n/a Tags data Date Disclosed 2011-09-02 Date Discovered 2011-03-10 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
CVE-2011-1184 Description The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1184 http://mail-archives.apache.org/mod_mbox/www-announce/201109.mbox/%3C4E805D2E.8010401@apache.org%3E Project Category n/a Tags functional Date Disclosed 2012-01-14 Date Discovered…
Read More
CVE-2011-1183 Description Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. Mitigation We recommend upgrading to a version of this component that is not vulnerable to this specific issue. Related links: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1183 http://tomcat.apache.org/security-7.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1183 Project Category n/a Tags data configuration Date Disclosed 2011-04-08 Date Discovered 2011-03-03 JTVCYnJhbmNoX2xpc3QlNUQlNUIlMkZicmFuY2hfbGlzdCU1RA== Feel Vulnerable? Contact us so we can help you.
Read More
