CVE-2011-1419 — Apache Tomcat does not follow ServletSecurity annotations

Description

Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.

How to fix CVE-2011-1419

To remediate CVE-2011-1419, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 7.0.11 or later

Is CVE-2011-1419 being exploited?

Moderate — EPSS is 16.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 7.0, < 7.0.11

References (13)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-1419
PATCHgithub.com/apache/tomcat
WEBmail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E
WEBmarc.info/?l=tomcat-user&m=129966773405409&w=2