CVE-2011-1183 — Access controll bypass in Apache Tomcat

Description

Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.

How to fix CVE-2011-1183

To remediate CVE-2011-1183, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 7.0.12 or later

Is CVE-2011-1183 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 7.0.11, < 7.0.12

References (11)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-1183
PATCHgithub.com/apache/tomcat
WEBseclists.org/fulldisclosure/2011/Apr/96
WEBsecurityreason.com/securityalert/8187
WEBexchange.xforce.ibmcloud.com