tomcat-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject [SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability
Date Fri, 12 Aug 2011 13:12:07 GMT
CVE-2011-2481: Apache Tomcat information disclosure vulnerability

Severity: low

The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.16
Previous versions are not affected.

The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
vulnerability previously reported as CVE-2009-0783. This was initially
reported as a memory leak
( If a web
application is the first web
application loaded, this bug allows that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.

7.0.x users should upgrade to 7.0.17 or later

See for an
example web application that can be used to replace the XML parser used
by Tomcat.

The security implications of bug 51395 were identified by the Tomcat
security team.


The Apache Tomcat Security Team

View raw message