CVE-2011-3190 Information

Description

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20 6.0.0 through 6.0.33 5.5.0 through 5.5.33 and possibly other versions allow remote attackers to spoof AJP requests bypass authentication and obtain sensitive information by causing the connector to interpret a request body as a new request.

Reference

http://marc.info/?l=bugtraq&m=132215163318824&w=2 http://marc.info/?l=bugtraq&m=133469267822771&w=2 http://marc.info/?l=bugtraq&m=136485229118404&w=2 http://marc.info/?l=bugtraq&m=139344343412337&w=2 http://secunia.com/advisories/45748 http://secunia.com/advisories/48308 http://secunia.com/advisories/49094 http://secunia.com/advisories/57126 http://securityreason.com/securityalert/8362 http://www.debian.org/security/2012/dsa-2401 http://www.mandriva.com/security/advisories?name=MDVSA-2011:156 http://www.securityfocus.com/archive/1/519466/100/0/threaded http://www.securityfocus.com/bid/49353 http://www.securitytracker.com/id?1025993 https://exchange.xforce.ibmcloud.com/vulnerabilities/69472 https://issues.apache.org/bugzilla/show_bug.cgi?id=51698 https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@3Cdev.tomcat.apache.org3E https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@3Cdev.tomcat.apache.org3E https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A14933 https://oval.cisecurity.org/repository/search/definition/oval3Aorg.mitre.oval3Adef3A19465