CVE-2011-3190: Apache Tomcat Allows Remote Attackers to Spoof AJP Requests
(updated )
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.
References
- marc.info/?l=bugtraq&m=132215163318824&w=2
- marc.info/?l=bugtraq&m=133469267822771&w=2
- marc.info/?l=bugtraq&m=136485229118404&w=2
- marc.info/?l=bugtraq&m=139344343412337&w=2
- securityreason.com/securityalert/8362
- www.debian.org/security/2012/dsa-2401
- www.mandriva.com/security/advisories?name=MDVSA-2011:156
- www.securityfocus.com/archive/1/519466/100/0/threaded
- www.securityfocus.com/bid/49353
- www.securitytracker.com/id?1025993
- exchange.xforce.ibmcloud.com/vulnerabilities/69472
- github.com/advisories/GHSA-c38m-v4m2-524v
- issues.apache.org/bugzilla/show_bug.cgi?id=51698
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2011-3190
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465
Detect and mitigate CVE-2011-3190 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →