GHSA-c38m-v4m2-524v

Source

https://github.com/advisories/GHSA-c38m-v4m2-524v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-c38m-v4m2-524v/GHSA-c38m-v4m2-524v.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-c38m-v4m2-524v

Aliases

CVE-2011-3190

Published

2022-05-14T01:17:02Z

Modified

2024-02-21T22:10:43Z

Summary

Apache Tomcat Allows Remote Attackers to Spoof AJP Requests

Details

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

Database specific

{
    "nvd_published_at": "2011-08-31T23:55:00Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-17T22:19:29Z"
}

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

7.0.0

Fixed

7.0.21

Database specific

{
    "last_known_affected_version_range": "<= 7.0.20"
}

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.0.34

Database specific

{
    "last_known_affected_version_range": "<= 6.0.33"
}

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.0.0

Fixed

5.5.34

Database specific

{
    "last_known_affected_version_range": "<= 5.5.33"
}