lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 12 Aug 2011 14:12:07 +0100
From: Mark Thomas <>
To: Tomcat Users List <>
CC: Tomcat Developers List <>,
  Tomcat Announce List <>,,,
Subject: [SECURITY] CVE-2011-2481: Apache Tomcat information disclosure vulnerability

CVE-2011-2481: Apache Tomcat information disclosure vulnerability

Severity: low

The Apache Software Foundation

Versions Affected:
Tomcat 7.0.0 to 7.0.16
Previous versions are not affected.

The re-factoring of XML validation for Tomcat 7.0.x re-introduced the
vulnerability previously reported as CVE-2009-0783. This was initially
reported as a memory leak
( If a web
application is the first web
application loaded, this bug allows that web application to potentially
view and/or alter the web.xml, context.xml and tld files of other web
applications deployed on the Tomcat instance.

7.0.x users should upgrade to 7.0.17 or later

See for an
example web application that can be used to replace the XML parser used
by Tomcat.

The security implications of bug 51395 were identified by the Tomcat
security team.


The Apache Tomcat Security Team

Powered by blists - more mailing lists