Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-fd9j-6vta-ubbp
Vulnerability ID VCID-fd9j-6vta-ubbp
Aliases CVE-2011-1419
GHSA-vch7-92vf-jm44
Summary Apache Tomcat 7.x before 7.0.11, when web.xml has no security constraints, does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2011-1088.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-284 Improper Access Control
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
generic_textual MODERATE http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E
generic_textual MODERATE http://marc.info/?l=tomcat-user&m=129966773405409&w=2
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
epss 0.16103 https://api.first.org/data/v1/epss?cve=CVE-2011-1419
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/65971
generic_textual MODERATE https://exchange.xforce.ibmcloud.com/vulnerabilities/66154
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-vch7-92vf-jm44
generic_textual MODERATE https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat/commit/0ff4905158b77787a7f3aca55c9dec93456665dc
generic_textual MODERATE https://github.com/apache/tomcat/commit/3e5b0455483eed55752047073e92403bfca8d3ec
cvssv2 5.8 https://nvd.nist.gov/vuln/detail/CVE-2011-1419
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2011-1419
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1079752
generic_textual MODERATE https://web.archive.org/web/20110307182442/http://markmail.org/message/yzmyn44f5aetmm2r
generic_textual MODERATE https://web.archive.org/web/20110323002552/http://markmail.org/message/lzx5273wsgl5pob6
generic_textual MODERATE https://web.archive.org/web/20170202135440/http://www.securityfocus.com/bid/46685
generic_textual MODERATE http://tomcat.apache.org/security-7.html
Reference id Reference type URL
http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106%40apache.org%3E
http://mail-archives.apache.org/mod_mbox/www-announce/201103.mbox/%3C4D6E74FF.7050106@apache.org%3E
http://marc.info/?l=tomcat-user&m=129966773405409&w=2
http://markmail.org/message/lzx5273wsgl5pob6
http://markmail.org/message/yzmyn44f5aetmm2r
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-1419.json
https://api.first.org/data/v1/epss?cve=CVE-2011-1419
http://secunia.com/advisories/43684
http://securityreason.com/securityalert/8131
https://exchange.xforce.ibmcloud.com/vulnerabilities/65971
https://exchange.xforce.ibmcloud.com/vulnerabilities/66154
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/0ff4905158b77787a7f3aca55c9dec93456665dc
https://github.com/apache/tomcat/commit/3e5b0455483eed55752047073e92403bfca8d3ec
https://nvd.nist.gov/vuln/detail/CVE-2011-1419
http://svn.apache.org/viewvc?view=revision&revision=1079752
https://web.archive.org/web/20110307182442/http://markmail.org/message/yzmyn44f5aetmm2r
https://web.archive.org/web/20110323002552/http://markmail.org/message/lzx5273wsgl5pob6
https://web.archive.org/web/20170202135440/http://www.securityfocus.com/bid/46685
http://tomcat.apache.org/security-7.html
http://www.osvdb.org/71027
http://www.securityfocus.com/bid/46685
http://www.vupen.com/english/advisories/2011/0563
708955 https://bugzilla.redhat.com/show_bug.cgi?id=708955
cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
GHSA-vch7-92vf-jm44 https://github.com/advisories/GHSA-vch7-92vf-jm44
GLSA-201206-24 https://security.gentoo.org/glsa/201206-24
No exploits are available.
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2011-1419
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.94757
EPSS Score 0.16103
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:23.685041+00:00 ProjectKB MSRImporter Import https://raw.githubusercontent.com/SAP/project-kb/master/MSR2019/dataset/vulas_db_msr2019_release.csv 38.0.0