CVE-2011-3376 | Vulnerability Database | Aqua Security

org/apache/catalina/core/DefaultInstanceManager.java in Apache Tomcat 7.x before 7.0.22 does not properly restrict ContainerServlets in the Manager application, which allows local users to gain privileges by using an untrusted web application to access the Manager applications functionality.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	7.0.0 (including)	7.0.0 (including)
Tomcat	Apache	7.0.0-beta (including)	7.0.0-beta (including)
Tomcat	Apache	7.0.1 (including)	7.0.1 (including)
Tomcat	Apache	7.0.2 (including)	7.0.2 (including)
Tomcat	Apache	7.0.3 (including)	7.0.3 (including)
Tomcat	Apache	7.0.4 (including)	7.0.4 (including)
Tomcat	Apache	7.0.5 (including)	7.0.5 (including)
Tomcat	Apache	7.0.6 (including)	7.0.6 (including)
Tomcat	Apache	7.0.7 (including)	7.0.7 (including)
Tomcat	Apache	7.0.8 (including)	7.0.8 (including)
Tomcat	Apache	7.0.9 (including)	7.0.9 (including)
Tomcat	Apache	7.0.10 (including)	7.0.10 (including)
Tomcat	Apache	7.0.11 (including)	7.0.11 (including)
Tomcat	Apache	7.0.12 (including)	7.0.12 (including)
Tomcat	Apache	7.0.13 (including)	7.0.13 (including)
Tomcat	Apache	7.0.14 (including)	7.0.14 (including)
Tomcat	Apache	7.0.15 (including)	7.0.15 (including)
Tomcat	Apache	7.0.16 (including)	7.0.16 (including)
Tomcat	Apache	7.0.17 (including)	7.0.17 (including)
Tomcat	Apache	7.0.18 (including)	7.0.18 (including)
Tomcat	Apache	7.0.19 (including)	7.0.19 (including)
Tomcat	Apache	7.0.20 (including)	7.0.20 (including)
Tomcat	Apache	7.0.21 (including)	7.0.21 (including)
Tomcat7	Ubuntu	oneiric	*
Tomcat7	Ubuntu	upstream	*

References

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588\u0026r2=1176587\u0026pathrev=1176588
http://svn.apache.org/viewvc?view=revision\u0026revision=1176588
http://tomcat.apache.org/security-7.html
http://www.securityfocus.com/bid/50603
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/DefaultInstanceManager.java?r1=1176588\u0026r2=1176587\u0026pathrev=1176588
http://svn.apache.org/viewvc?view=revision\u0026revision=1176588
http://tomcat.apache.org/security-7.html
http://www.securityfocus.com/bid/50603

NVD	https://nvd.nist.gov/vuln/detail/CVE-2011-3376
CWE	https://cwe.mitre.org/data/definitions/264.html