製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache Tomcat の HTTP BIO コネクタにおけるレスポンスを閲覧される脆弱性

Title	Apache Tomcat の HTTP BIO コネクタにおけるレスポンスを閲覧される脆弱性
Summary	Apache Tomcat の HTTP BIO コネクタは、HTTP のパイプラインを適切に処理しないため、他のクライアントへ送信したレスポンスを閲覧される脆弱性が存在します。
Possible impacts	第三者により、HTTP パケット内のアプリケーションデータの検査を介して、他のクライアントへ送信したレスポンスを閲覧される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	March 28, 2011, midnight
Registration Date	April 28, 2011, 3:29 p.m.
Last Update	April 28, 2011, 3:29 p.m.

Affected System

Apache Software Foundation

Apache Tomcat 7.0.12 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-1475	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475
National Vulnerability Database (NVD)
2	CVE-2011-1475	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1475

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Apache Software Foundation
1	Fixed_in_Apache_Tomcat_7.0.12	http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.12_%28released_6_Apr_2011%29
Apache-SVN
2	1086349	http://svn.apache.org/viewvc?view=revision&revision=1086349
3	1086352	http://svn.apache.org/viewvc?view=revision&revision=1086352

その他

No	Name	URL
ISS X-Force Database
1	66676	http://xforce.iss.net/xforce/xfdb/66676
SecurityFocus
2	47199	http://www.securityfocus.com/bid/47199
SecurityTracker
3	1025303	http://www.securitytracker.com/id?1025303
VUPEN Security
4	VUPEN/ADV-2011-0894	http://www.vupen.com/english/advisories/2011/0894

Change Log

No	Changed Details	Date of change
0	[2011年04月28日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2011-1475

Summary	The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."
Publication Date	April 9, 2011, 12:17 a.m.
Registration Date	Jan. 28, 2021, 4:38 p.m.
Last Update	Nov. 21, 2024, 10:26 a.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	http://seclists.org/fulldisclosure/2011/Apr/97
2	http://securityreason.com/securityalert/8188
3	http://svn.apache.org/viewvc?view=revision&revision=1086349	Patch
4	http://svn.apache.org/viewvc?view=revision&revision=1086352	Patch
5	http://tomcat.apache.org/security-7.html	Vendor Advisory
6	http://www.securityfocus.com/archive/1/517363
7	http://www.securityfocus.com/bid/47199
8	http://www.securitytracker.com/id?1025303
9	http://www.vupen.com/english/advisories/2011/0894
10	https://exchange.xforce.ibmcloud.com/vulnerabilities/66676
11	https://issues.apache.org/bugzilla/show_bug.cgi?id=50957
12	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12374
13	http://seclists.org/fulldisclosure/2011/Apr/97
14	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12374
15	https://issues.apache.org/bugzilla/show_bug.cgi?id=50957
16	https://exchange.xforce.ibmcloud.com/vulnerabilities/66676
17	http://www.vupen.com/english/advisories/2011/0894
18	http://www.securitytracker.com/id?1025303
19	http://www.securityfocus.com/bid/47199
20	http://www.securityfocus.com/archive/1/517363
21	http://tomcat.apache.org/security-7.html	Vendor Advisory
22	http://svn.apache.org/viewvc?view=revision&revision=1086352	Patch
23	http://svn.apache.org/viewvc?view=revision&revision=1086349	Patch
24	http://securityreason.com/securityalert/8188

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html