製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache Tomcat におけるアクセス制限を回避される脆弱性

Title	Apache Tomcat におけるアクセス制限を回避される脆弱性
Summary	Apache Tomcat は、ServletSecurity アノテーションに従わないため、アクセス制限を回避される脆弱性が存在します。
Possible impacts	第三者により、ウェブアプリケーションへの HTTP リクエストを介して、アクセス制限を回避される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 11, 2011, midnight
Registration Date	April 6, 2011, 5:23 p.m.
Last Update	April 6, 2011, 5:23 p.m.

CVSS2.0 : 警告
Score	5.8
Vector	AV:N/AC:M/Au:N/C:P/I:P/A:N

Affected System

Apache Software Foundation

Apache Tomcat 7.0.11 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1088	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1088
National Vulnerability Database (NVD)
2	CVE-2011-1088	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1088

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-DesignError	https://www.ipa.go.jp/security/vuln/CWE.html#CWEDesignError

ベンダー情報

No	Name	URL
Apache Software Foundation
1	Fixed_in_Apache_Tomcat_7.0.11	http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.11_%28released_11_Mar_2011%29
Apache-SVN
2	1076586	http://svn.apache.org/viewvc?view=revision&revision=1076586
3	1076587	http://svn.apache.org/viewvc?view=revision&revision=1076587
4	1077995	http://svn.apache.org/viewvc?view=revision&revision=1077995

その他

No	Name	URL
Secunia Advisory
1	SA43684	http://secunia.com/advisories/43684
SecurityFocus
2	46685	http://www.securityfocus.com/bid/46685
VUPEN Security
3	VUPEN/ADV-2011-0563	http://www.vupen.com/english/advisories/2011/0563

Change Log

No	Changed Details	Date of change
0	[2011年04月06日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-1088

Summary	Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.
Publication Date	March 15, 2011, 4:55 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:25 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*

Related information, measures and tools

No	URL	タグ
1	http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E
2	http://markmail.org/message/lzx5273wsgl5pob6
3	http://markmail.org/message/yzmyn44f5aetmm2r
4	http://secunia.com/advisories/43684	Vendor Advisory
5	http://svn.apache.org/viewvc?view=revision&revision=1076586	Patch
6	http://svn.apache.org/viewvc?view=revision&revision=1076587
7	http://svn.apache.org/viewvc?view=revision&revision=1077995
8	http://tomcat.apache.org/security-7.html	Vendor Advisory
9	http://www.osvdb.org/71027
10	http://www.securityfocus.com/archive/1/517013/100/0/threaded
11	http://www.securityfocus.com/bid/46685
12	http://www.securitytracker.com/id?1025215
13	http://www.vupen.com/english/advisories/2011/0563	Vendor Advisory
14	https://exchange.xforce.ibmcloud.com/vulnerabilities/65971
15	http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E
16	https://exchange.xforce.ibmcloud.com/vulnerabilities/65971
17	http://www.vupen.com/english/advisories/2011/0563	Vendor Advisory
18	http://www.securitytracker.com/id?1025215
19	http://www.securityfocus.com/bid/46685
20	http://www.securityfocus.com/archive/1/517013/100/0/threaded
21	http://www.osvdb.org/71027
22	http://tomcat.apache.org/security-7.html	Vendor Advisory
23	http://svn.apache.org/viewvc?view=revision&revision=1077995
24	http://svn.apache.org/viewvc?view=revision&revision=1076587
25	http://svn.apache.org/viewvc?view=revision&revision=1076586	Patch
26	http://secunia.com/advisories/43684	Vendor Advisory
27	http://markmail.org/message/yzmyn44f5aetmm2r
28	http://markmail.org/message/lzx5273wsgl5pob6

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*