| # |
CVE ID
|
CWE ID
|
# of Exploits
|
Vulnerability Type(s)
|
Publish Date
|
Update Date
|
Score
|
Gained Access Level
|
Access
|
Complexity
|
Authentication
|
Conf.
|
Integ.
|
Avail.
|
|
1 |
CVE-2013-0239 |
287 |
|
Bypass |
2013-03-12 |
2013-03-19 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apache CXF before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3, when the plaintext UsernameToken WS-SecurityPolicy is enabled, allows remote attackers to bypass authentication via a security header of a SOAP request containing a UsernameToken element that lacks a password child element. |
|
2 |
CVE-2012-5887 |
287 |
|
Bypass |
2012-11-17 |
2013-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly check for stale nonce values in conjunction with enforcement of proper credentials, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests. |
|
3 |
CVE-2012-5886 |
287 |
|
Bypass |
2012-11-17 |
2013-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information about the authenticated user within the session state, which makes it easier for remote attackers to bypass authentication via vectors related to the session ID. |
|
4 |
CVE-2012-5885 |
264 |
|
Bypass |
2012-11-17 |
2013-05-14 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The replay-countermeasure functionality in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values instead of nonce (aka server nonce) and nc (aka nonce-count) values, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, a different vulnerability than CVE-2011-1184. |
|
5 |
CVE-2012-5633 |
287 |
|
Bypass |
2013-03-12 |
2013-05-14 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
The URIMappingInterceptor in Apache CXF before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2, when using the WSS4JInInterceptor, bypasses WS-Security processing, which allows remote attackers to obtain access to SOAP services via an HTTP GET request. |
|
6 |
CVE-2012-5351 |
287 |
|
Bypass |
2012-10-09 |
2013-02-13 |
6.4 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
None |
|
Apache Axis2 allows remote attackers to forge messages and bypass authentication via a SAML assertion that lacks a Signature element, aka a "Signature exclusion attack," a different vulnerability than CVE-2012-4418. |
|
7 |
CVE-2012-4446 |
287 |
|
Bypass |
2013-03-13 |
2013-03-19 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
The default configuration for Apache Qpid 0.20 and earlier, when the federation_tag attribute is enabled, accepts AMQP connections without checking the source user ID, which allows remote attackers to bypass authentication and have other unspecified impact via an AMQP request. |
|
8 |
CVE-2012-4431 |
264 |
|
Bypass CSRF |
2012-12-19 |
2013-05-14 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier. |
|
9 |
CVE-2012-4418 |
287 |
|
Bypass |
2012-10-09 |
2013-01-29 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Axis2 allows remote attackers to forge messages and bypass authentication via an "XML Signature wrapping attack." |
|
10 |
CVE-2012-3546 |
264 |
|
Bypass |
2012-12-19 |
2013-03-22 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI. |
|
11 |
CVE-2012-3467 |
287 |
|
Bypass |
2012-08-27 |
2013-01-29 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
Apache QPID 0.14, 0.16, and earlier uses a NullAuthenticator mechanism to authenticate catch-up shadow connections to AMQP brokers, which allows remote attackers to bypass authentication. |
|
12 |
CVE-2012-2378 |
264 |
|
Bypass |
2013-01-04 |
2013-02-12 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Apache CXF 2.4.5 through 2.4.7, 2.5.1 through 2.5.3, and 2.6.x before 2.6.1, does not properly enforce child policies of a WS-SecurityPolicy 1.1 SupportingToken policy on the client side, which allows remote attackers to bypass the (1) AlgorithmSuite, (2) SignedParts, (3) SignedElements, (4) EncryptedParts, and (5) EncryptedElements policies. |
|
13 |
CVE-2011-5064 |
310 |
|
Bypass |
2012-01-14 |
2012-02-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. |
|
14 |
CVE-2011-5063 |
287 |
|
Bypass |
2012-01-14 |
2012-02-15 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. |
|
15 |
CVE-2011-5062 |
264 |
|
Bypass |
2012-01-14 |
2012-02-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. |
|
16 |
CVE-2011-3190 |
264 |
|
Bypass +Info |
2011-08-31 |
2012-11-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. |
|
17 |
CVE-2011-2729 |
264 |
|
Bypass |
2011-08-15 |
2012-11-05 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application. |
|
18 |
CVE-2011-2526 |
20 |
|
DoS Bypass |
2011-07-14 |
2012-11-05 |
4.4 |
None |
Local |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. |
|
19 |
CVE-2011-2329 |
264 |
|
Bypass |
2011-06-02 |
2011-07-07 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
The rampart_timestamp_token_validate function in util/rampart_timestamp_token.c in Apache Rampart/C 1.3.0 does not properly calculate the expiration of timestamp tokens, which allows remote attackers to bypass intended access restrictions by leveraging an expired token, a different vulnerability than CVE-2011-0730. |
|
20 |
CVE-2011-1582 |
264 |
|
Bypass |
2011-05-20 |
2011-09-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Apache Tomcat 7.0.12 and 7.0.13 processes the first request to a servlet without following security constraints that have been configured through annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088, CVE-2011-1183, and CVE-2011-1419. |
|
21 |
CVE-2011-1419 |
|
|
Bypass |
2011-03-14 |
2011-09-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088. |
|
22 |
CVE-2011-1184 |
264 |
|
Bypass |
2012-01-14 |
2012-02-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. |
|
23 |
CVE-2011-1183 |
|
|
Bypass |
2011-04-08 |
2011-09-21 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419. |
|
24 |
CVE-2011-1088 |
|
|
Bypass |
2011-03-14 |
2011-03-30 |
5.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
None |
|
Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. |
|
25 |
CVE-2010-4340 |
264 |
|
Bypass |
2011-09-12 |
2011-09-13 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
libcloud before 0.4.1 does not verify SSL certificates for HTTPS connections, which allows remote attackers to spoof certificates and bypass intended access restrictions via a man-in-the-middle (MITM) attack. |
|
26 |
CVE-2010-3863 |
22 |
|
Dir. Trav. Bypass |
2010-11-05 |
2010-11-11 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI. |
|
27 |
CVE-2010-3315 |
16 |
|
Bypass |
2010-10-04 |
2011-03-23 |
6.0 |
None |
Remote |
Medium |
Single system |
Partial |
Partial |
Partial |
|
authz.c in the mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x before 1.5.8 and 1.6.x before 1.6.13, when SVNPathAuthz short_circuit is enabled, does not properly handle a named repository as a rule scope, which allows remote authenticated users to bypass intended access restrictions via svn commands. |
|
28 |
CVE-2010-1870 |
|
1
|
Bypass |
2010-08-17 |
2011-09-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
The OGNL extensive expression evaluation capability in XWork in Struts 2.0.0 through 2.1.8.1, as used in Atlassian Fisheye, Crucible, and possibly other products, uses a permissive whitelist, which allows remote attackers to modify server-side context objects and bypass the "#" protection mechanism in ParameterInterceptors via the (1) #context, (2) #_memberAccess, (3) #root, (4) #this, (5) #_typeResolver, (6) #_classResolver, (7) #_traceEvaluations, (8) #_lastEvaluation, (9) #_keepLastEvaluation, and possibly other OGNL context variables, a different vulnerability than CVE-2008-6504. |
|
29 |
CVE-2010-1151 |
362 |
|
Bypass |
2010-04-20 |
2010-05-27 |
6.8 |
None |
Remote |
Medium |
Not required |
Partial |
Partial |
Partial |
|
Race condition in the mod_auth_shadow module for the Apache HTTP Server allows remote attackers to bypass authentication, and read and possibly modify data, via vectors related to improper interaction with an external helper application for validation of credentials. |
|
30 |
CVE-2009-3095 |
264 |
|
Bypass |
2009-09-08 |
2011-09-06 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The mod_proxy_ftp module in the Apache HTTP Server allows remote attackers to bypass intended access restrictions and send arbitrary commands to an FTP server via vectors related to the embedding of these commands in the Authorization HTTP header, as demonstrated by a certain module in VulnDisco Pack Professional 8.11. |
|
31 |
CVE-2009-2901 |
264 |
|
Bypass |
2010-01-28 |
2013-03-06 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests. |
|
32 |
CVE-2008-5515 |
22 |
|
Dir. Trav. Bypass |
2009-06-16 |
2011-09-06 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. |
|
33 |
CVE-2008-3271 |
264 |
|
Bypass +Info |
2008-10-13 |
2009-02-21 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. |
|
34 |
CVE-2008-2717 |
264 |
|
Bypass |
2008-06-16 |
2009-04-14 |
6.5 |
None |
Remote |
Low |
Single system |
Partial |
Partial |
Partial |
|
TYPO3 4.0.x before 4.0.9, 4.1.x before 4.1.7, and 4.2.x before 4.2.1, uses an insufficiently restrictive default fileDenyPattern for Apache, which allows remote attackers bypass security restrictions and upload configuration files such as .htaccess, or conduct file upload attacks using multiple extensions. |
|
35 |
CVE-2007-5797 |
287 |
|
Bypass |
2007-11-02 |
2008-11-15 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
SQLLoginModule in Apache Geronimo 2.0 through 2.1 does not throw an exception for a nonexistent username, which allows remote attackers to bypass authentication via a login attempt with any username not contained in the database. |
|
36 |
CVE-2007-5085 |
287 |
|
Bypass |
2007-09-26 |
2008-11-15 |
5.0 |
None |
Remote |
Low |
Not required |
Partial |
None |
None |
|
Unspecified vulnerability in the management EJB (MEJB) in Apache Geronimo before 2.0.2 allows remote attackers to bypass authentication and obtain "access to Geronimo internals" via unspecified vectors. |
|
37 |
CVE-2007-4723 |
22 |
|
Dir. Trav. Bypass |
2007-09-05 |
2008-11-15 |
7.5 |
None |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Directory traversal vulnerability in Ragnarok Online Control Panel 4.3.4a, when the Apache HTTP Server is used, allows remote attackers to bypass authentication via directory traversal sequences in a URI that ends with the name of a publicly available page, as demonstrated by a "/...../" sequence and an account_manage.php/login.php final component for reaching the protected account_manage.php page. |
|
38 |
CVE-2007-4548 |
287 |
|
Bypass |
2007-08-27 |
2008-09-05 |
10.0 |
Admin |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
The login method in LoginModule implementations in Apache Geronimo 2.0 does not throw FailedLoginException for failed logins, which allows remote attackers to bypass authentication requirements, deploy arbitrary modules, and gain administrative access by sending a blank username and password with the command line deployer in the deployment module. |
|
39 |
CVE-2006-4110 |
|
|
Bypass |
2006-08-14 |
2008-09-05 |
4.3 |
None |
Remote |
Medium |
Not required |
Partial |
None |
None |
|
Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters that bypass the case-sensitive ScriptAlias directive, but allow access to the file on case-insensitive file systems. |
|
40 |
CVE-2006-1546 |
|
|
Bypass |
2006-03-30 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Software Foundation (ASF) Struts before 1.2.9 allows remote attackers to bypass validation via a request with a 'org.apache.struts.taglib.html.Constants.CANCEL' parameter, which causes the action to be canceled but would not be detected from applications that do not use the isCancelled check. |
|
41 |
CVE-2005-3351 |
|
|
Bypass |
2005-11-20 |
2010-08-21 |
5.0 |
None |
Remote |
Low |
Not required |
None |
Partial |
None |
|
SpamAssassin 3.0.4 allows attackers to bypass spam detection via an e-mail with a large number of recipients ("To" addresses), which triggers a bus error in Perl. |
|
42 |
CVE-2005-2700 |
|
|
Bypass |
2005-09-06 |
2010-08-21 |
10.0 |
None |
Remote |
Low |
Not required |
Complete |
Complete |
Complete |
|
ssl_engine_kernel.c in mod_ssl before 2.8.24, when using "SSLVerifyClient optional" in the global virtual host configuration, does not properly enforce "SSLVerifyClient require" in a per-location context, which allows remote attackers to bypass intended access restrictions. |
|
43 |
CVE-2005-2090 |
|
|
XSS Bypass |
2005-07-05 |
2010-08-21 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." |
|
44 |
CVE-2005-2088 |
|
|
XSS Bypass |
2005-07-05 |
2010-09-18 |
4.3 |
None |
Remote |
Medium |
Not required |
None |
Partial |
None |
|
The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." |
|
45 |
CVE-2005-0508 |
|
|
Bypass |
2005-03-14 |
2008-09-10 |
4.6 |
User |
Local |
Low |
Not required |
Partial |
Partial |
Partial |
|
Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue." |
|
46 |
CVE-2004-2343 |
|
|
Bypass |
2004-12-31 |
2008-09-05 |
7.2 |
Admin |
Local |
Low |
Not required |
Complete |
Complete |
Complete |
|
** DISPUTED ** Apache HTTP Server 2.0.47 and earlier allows local users to bypass .htaccess file restrictions, as specified in httpd.conf with directives such as Deny From All, by using an ErrorDocument directive. NOTE: the vendor has disputed this issue, since the .htaccess mechanism is only intended to restrict external web access, and a local user already has the privileges to perform the same operations without using ErrorDocument. |
|
47 |
CVE-2004-0885 |
|
|
Bypass |
2004-11-03 |
2010-08-21 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration. |
|
48 |
CVE-2003-0993 |
|
|
Bypass |
2004-03-29 |
2008-09-10 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. |
|
49 |
CVE-2002-1394 |
|
|
Bypass |
2003-01-17 |
2008-09-10 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148. |
|
50 |
CVE-2002-0493 |
|
|
Bypass |
2002-08-12 |
2008-09-05 |
7.5 |
User |
Remote |
Low |
Not required |
Partial |
Partial |
Partial |
|
Apache Tomcat may be started without proper security settings if errors are encountered while reading the web.xml file, which could allow attackers to bypass intended restrictions. |
