CVE-2011-1419 | Vulnerability Database | Aqua Security

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	7.0.0	7.0.0
Tomcat	Apache	7.0.0	7.0.0
Tomcat	Apache	7.0.1	7.0.1
Tomcat	Apache	7.0.2	7.0.2
Tomcat	Apache	7.0.3	7.0.3
Tomcat	Apache	7.0.4	7.0.4
Tomcat	Apache	7.0.5	7.0.5
Tomcat	Apache	7.0.6	7.0.6
Tomcat	Apache	7.0.7	7.0.7
Tomcat	Apache	7.0.8	7.0.8
Tomcat	Apache	7.0.9	7.0.9
Tomcat	Apache	7.0.10	7.0.10

References

http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E
http://marc.info/?l=tomcat-user\u0026m=129966773405409\u0026w=2
http://markmail.org/message/lzx5273wsgl5pob6
http://markmail.org/message/yzmyn44f5aetmm2r
http://secunia.com/advisories/43684
http://securityreason.com/securityalert/8131
http://svn.apache.org/viewvc?view=revision\u0026revision=1079752
http://tomcat.apache.org/security-7.html
http://www.osvdb.org/71027
http://www.securityfocus.com/bid/46685
http://www.vupen.com/english/advisories/2011/0563
https://exchange.xforce.ibmcloud.com/vulnerabilities/65971
https://exchange.xforce.ibmcloud.com/vulnerabilities/66154

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-1419
CWE	https://cwe.mitre.org/data/definitions/NVD-Other.html