CVE-2011-2526 — Improper Input Validation in Apache Tomcat

Description

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.

How to fix CVE-2011-2526

To remediate CVE-2011-2526, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 5.5.34 or later

Is CVE-2011-2526 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 5.5.34

References (39)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2011-2526
WEBmarc.info/?l=bugtraq&m=132215163318824&w=2
WEBmarc.info/?l=bugtraq&m=133469267822771&w=2
WEBmarc.info/?l=bugtraq&m=136485229118404&w=2
WEB