The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.11
- Earlier versions are not affected
Description:
A regression in the fix for CVE-2011-1088 meant that security
constraints were ignored when no login configuration was present in the
web.xml and the web application was marked as meta-data complete.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat 7.0.12 or later
- Ensure a login configuration is defined in web.xml
Credit:
This issue was identified by the Apache Tomcat security team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum