CVE-2011-3190

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 UNKNOWN
NETWORK
LOW
AV:N/AC:L/Au:N/C:P/I:P/A:P
Base Score
CVSS 3.x
EPSS Score
Percentile: 75%
Affected Products (NVD)
VendorProductVersion
apachetomcat
7.0.0
apachetomcat
7.0.0:beta
apachetomcat
7.0.1
apachetomcat
7.0.2
apachetomcat
7.0.3
apachetomcat
7.0.4
apachetomcat
7.0.5
apachetomcat
7.0.6
apachetomcat
7.0.7
apachetomcat
7.0.8
apachetomcat
7.0.9
apachetomcat
7.0.10
apachetomcat
7.0.11
apachetomcat
7.0.12
apachetomcat
7.0.13
apachetomcat
7.0.14
apachetomcat
7.0.16
apachetomcat
7.0.17
apachetomcat
7.0.19
apachetomcat
7.0.20
apachetomcat
6.0
apachetomcat
6.0.0
apachetomcat
6.0.1
apachetomcat
6.0.2
apachetomcat
6.0.3
apachetomcat
6.0.4
apachetomcat
6.0.5
apachetomcat
6.0.6
apachetomcat
6.0.7
apachetomcat
6.0.8
apachetomcat
6.0.9
apachetomcat
6.0.10
apachetomcat
6.0.11
apachetomcat
6.0.12
apachetomcat
6.0.13
apachetomcat
6.0.14
apachetomcat
6.0.15
apachetomcat
6.0.16
apachetomcat
6.0.17
apachetomcat
6.0.18
apachetomcat
6.0.19
apachetomcat
6.0.20
apachetomcat
6.0.24
apachetomcat
6.0.26
apachetomcat
6.0.27
apachetomcat
6.0.28
apachetomcat
6.0.29
apachetomcat
6.0.30
apachetomcat
6.0.31
apachetomcat
6.0.32
apachetomcat
6.0.33
apachetomcat
5.5.0
apachetomcat
5.5.1
apachetomcat
5.5.2
apachetomcat
5.5.3
apachetomcat
5.5.4
apachetomcat
5.5.5
apachetomcat
5.5.6
apachetomcat
5.5.7
apachetomcat
5.5.8
apachetomcat
5.5.9
apachetomcat
5.5.10
apachetomcat
5.5.11
apachetomcat
5.5.12
apachetomcat
5.5.13
apachetomcat
5.5.14
apachetomcat
5.5.15
apachetomcat
5.5.16
apachetomcat
5.5.17
apachetomcat
5.5.18
apachetomcat
5.5.19
apachetomcat
5.5.20
apachetomcat
5.5.21
apachetomcat
5.5.22
apachetomcat
5.5.23
apachetomcat
5.5.24
apachetomcat
5.5.25
apachetomcat
5.5.26
apachetomcat
5.5.27
apachetomcat
5.5.28
apachetomcat
5.5.29
apachetomcat
5.5.30
apachetomcat
5.5.31
apachetomcat
5.5.32
apachetomcat
5.5.33
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat5.5
hardy
Fixed 5.5.25-5ubuntu1.3
released
lucid
dne
maverick
dne
natty
dne
oneiric
dne
tomcat6
hardy
dne
lucid
Fixed 6.0.24-2ubuntu1.9
released
maverick
Fixed 6.0.28-2ubuntu1.5
released
natty
Fixed 6.0.28-10ubuntu2.2
released
oneiric
not-affected
tomcat7
hardy
dne
lucid
dne
maverick
dne
natty
dne
oneiric
Fixed 7.0.21-1
released
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
tomcat6
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-admin-webapps
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-docs-webapp
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-el-2.1-api
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-javadoc
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-jsp-2.1-api
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-lib
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-servlet-2.5-api
RHEL 6
0:6.0.24-35.el6_1
fixed
tomcat6-webapps
RHEL 6
0:6.0.24-35.el6_1
fixed
Common Weakness Enumeration
References
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=133469267822771&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/45748
http://secunia.com/advisories/48308
http://secunia.com/advisories/49094
http://secunia.com/advisories/57126
http://securityreason.com/securityalert/8362
http://www.debian.org/security/2012/dsa-2401
http://www.mandriva.com/security/advisories?name=MDVSA-2011:156
http://www.securityfocus.com/archive/1/519466/100/0/threaded
http://www.securityfocus.com/bid/49353
http://www.securitytracker.com/id?1025993
https://exchange.xforce.ibmcloud.com/vulnerabilities/69472
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=133469267822771&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/45748
http://secunia.com/advisories/48308
http://secunia.com/advisories/49094
http://secunia.com/advisories/57126
http://securityreason.com/securityalert/8362
http://www.debian.org/security/2012/dsa-2401
http://www.mandriva.com/security/advisories?name=MDVSA-2011:156
http://www.securityfocus.com/archive/1/519466/100/0/threaded
http://www.securityfocus.com/bid/49353
http://www.securitytracker.com/id?1025993
https://exchange.xforce.ibmcloud.com/vulnerabilities/69472
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465