{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2011-04-06T00:00:00", "descriptions": [{"lang": "en", "value": "Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-09T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "oval:org.mitre.oval:def:12701", "tags": ["vdb-entry", "signature", "x_refsource_OVAL"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12701"}, {"name": "47196", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/47196"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://tomcat.apache.org/security-7.html"}, {"name": "8187", "tags": ["third-party-advisory", "x_refsource_SREASON"], "url": "http://securityreason.com/securityalert/8187"}, {"name": "20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass", "tags": ["mailing-list", "x_refsource_FULLDISC"], "url": "http://seclists.org/fulldisclosure/2011/Apr/96"}, {"name": "20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/517362/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1087643"}, {"name": "tomcat-webxml-security-bypass(66675)", "tags": ["vdb-entry", "x_refsource_XF"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66675"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T22:21:33.787Z"}, "title": "CVE Program Container", "references": [{"name": "oval:org.mitre.oval:def:12701", "tags": ["vdb-entry", "signature", "x_refsource_OVAL", "x_transferred"], "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12701"}, {"name": "47196", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/47196"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://tomcat.apache.org/security-7.html"}, {"name": "8187", "tags": ["third-party-advisory", "x_refsource_SREASON", "x_transferred"], "url": "http://securityreason.com/securityalert/8187"}, {"name": "20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass", "tags": ["mailing-list", "x_refsource_FULLDISC", "x_transferred"], "url": "http://seclists.org/fulldisclosure/2011/Apr/96"}, {"name": "20110406 [SECURITY] CVE-2011-1183 Apache Tomcat security constraint bypass", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/517362/100/0/threaded"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1087643"}, {"name": "tomcat-webxml-security-bypass(66675)", "tags": ["vdb-entry", "x_refsource_XF", "x_transferred"], "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66675"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2011-1183", "datePublished": "2011-04-08T15:00:00", "dateReserved": "2011-03-03T00:00:00", "dateUpdated": "2024-08-06T22:21:33.787Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*", "matchCriteriaId": "1F74A421-D019-4248-84B8-C70D4D9A8A95", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419."}, {"lang": "es", "value": "Apache Tomcat v7.0.11, cuando web.xml no tiene configuraci\u00f3n de login, no se siguen las restricciones de seguridad, permitiendo a atacantes remotos evitar las restricciones de acceso a trav\u00e9s de peticiones HTTP a los meta-datos de la aplicaci\u00f3n web. NOTA: esta vulnerabilidad existe debido a un parche incorrecto para CVE-2011-1088 y CVE-2011-1419."}], "id": "CVE-2011-1183", "lastModified": "2023-11-07T02:06:58.950", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2011-04-08T15:17:28.103", "references": [{"source": "secalert@redhat.com", "url": "http://seclists.org/fulldisclosure/2011/Apr/96"}, {"source": "secalert@redhat.com", "url": "http://securityreason.com/securityalert/8187"}, {"source": "secalert@redhat.com", "tags": ["Patch"], "url": "http://svn.apache.org/viewvc?view=revision&revision=1087643"}, {"source": "secalert@redhat.com", "url": "http://tomcat.apache.org/security-7.html"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/archive/1/517362/100/0/threaded"}, {"source": "secalert@redhat.com", "url": "http://www.securityfocus.com/bid/47196"}, {"source": "secalert@redhat.com", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/66675"}, {"source": "secalert@redhat.com", "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12701"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "tomcat: various flaws due not following ServletSecurity annotations", "id": "708955", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=708955"}, "csaw": false, "cvss": {"cvss_base_score": "5.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "status": "draft"}, "details": ["Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419."], "name": "CVE-2011-1183", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "tomcat5", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "tomcat6", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2011-03-02T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2011-1183\nhttps://nvd.nist.gov/vuln/detail/CVE-2011-1183"], "statement": "Not vulnerable. This issue did not affect the versions of Apache Tomcat 5 as shipped with Red Hat Enterprise Linux 5, Red Hat Developer Suite 3, Red Hat Certificate System 7.3, Red Hat Network Satellite 5.3.0 and earlier versions and JBoss Enterprise Web Server 1.0. It did not affect the versions of Apache Tomcat 6 as shipped with Red Hat Enterprise Linux 6 and JBoss Enterprise Web Server 1.0. It also did not affect the versions of jbossweb as shipped with JBoss Enterprise Application Platform 4.3.0 and earlier versions, as this flaw only affects Apache Tomcat 7.0.11.", "threat_severity": "Moderate"}