Vulnerability Details : CVE-2011-1419
Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.
Products affected by CVE-2011-1419
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
Threat overview for CVE-2011-1419
Top countries where our scanners detected CVE-2011-1419
Top open port discovered on systems with this issue
80
IPs affected by CVE-2011-1419 370
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2011-1419!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2011-1419
16.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 94 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2011-1419
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.8
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:P/A:N |
8.6
|
4.9
|
NIST |
References for CVE-2011-1419
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/65971
Apache Tomcat ServletSecurity security bypass CVE-2011-1088 Vulnerability Report
-
http://markmail.org/message/lzx5273wsgl5pob6
Re: @DenyAll does nothing - Michael McCutcheon - org.apache.tomcat.users - MarkMail
-
http://www.osvdb.org/71027
404 Not Found
-
http://tomcat.apache.org/security-7.html
Apache Tomcat® - Apache Tomcat 7 vulnerabilities
-
http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E
[SECURITY] Tomcat 7 ignores @ServletSecurity annotations
-
http://www.securityfocus.com/bid/46685
Apache Tomcat '@ServletSecurity' Annotations Security Bypass Vulnerability
-
http://secunia.com/advisories/43684
Sign inVendor Advisory
-
http://securityreason.com/securityalert/8131
Apache Tomcat 7 ignores ServletSecurity annotations - CXSecurity.com
-
http://markmail.org/message/yzmyn44f5aetmm2r
Re: @DenyAll does nothing - Mark Thomas - org.apache.tomcat.users - MarkMail
-
http://svn.apache.org/viewvc?view=revision&revision=1079752
[Apache-SVN] Revision 1079752Patch
-
http://marc.info/?l=tomcat-user&m=129966773405409&w=2
'[SECURITY] Tomcat 7 ignores @ServletSecurity annotations' - MARC
-
http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E
[SECURITY] Tomcat 7 ignores @ServletSecurity annotations-Apache Mail Archives
-
http://www.vupen.com/english/advisories/2011/0563
Webmail | OVH- OVHVendor Advisory
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/66154
Apache Tomcat ServletSecurity security bypass CVE-2011-1419 Vulnerability Report
Jump to