{ "threat_severity" : "Low", "public_date" : "2011-07-13T00:00:00Z", "bugzilla" : { "description" : "tomcat: security manager restrictions bypass", "id" : "720948", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=720948" }, "cvss" : { "cvss_base_score" : "2.6", "cvss_scoring_vector" : "AV:L/AC:H/Au:N/C:P/I:N/A:P", "status" : "verified" }, "details" : [ "Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application." ], "statement" : "The Red Hat Security Response Team has rated this issue as having low security\nimpact, a future update may address this flaw.", "acknowledgement" : "Red Hat would like to thank Apache Tomcat project for reporting this issue.", "affected_release" : [ { "product_name" : "JBEWP 5 for RHEL 5", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0076", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el5", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el5" }, { "product_name" : "JBEWP 5 for RHEL 6", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0076", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5::el6", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el6" }, { "product_name" : "JBoss Communications Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0078", "cpe" : "cpe:/a:redhat:jboss_communications_platform:5.1" }, { "product_name" : "JBoss Enterprise BRMS Platform 5.1", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5.1" }, { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2011-12-05T00:00:00Z", "advisory" : "RHSA-2011:1780", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "tomcat6-0:6.0.24-35.el6_1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 4.3", "release_date" : "2012-01-19T00:00:00Z", "advisory" : "RHSA-2012:0041", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:4.3" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0075", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5.1" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 4", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el4", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 5", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el5", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5 for RHEL 6", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0074", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5::el6", "package" : "jbossweb-0:2.1.12-3_patch_03.2.ep5.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0680", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat5-0:5.5.33-27_patch_07.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 5", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0682", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el5", "package" : "tomcat6-0:6.0.32-24_patch_07.ep5.el5" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 6", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0680", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el6", "package" : "tomcat5-0:5.5.33-28_patch_07.ep5.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 1 for RHEL 6", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0682", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1::el6", "package" : "tomcat6-0:6.0.32-24_patch_07.ep5.el6" }, { "product_name" : "Red Hat JBoss Portal 4.3", "release_date" : "2012-02-02T00:00:00Z", "advisory" : "RHSA-2012:0091", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:4.3" }, { "product_name" : "Red Hat JBoss Portal 5.2", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2" }, { "product_name" : "Red Hat JBoss SOA Platform 5.2", "release_date" : "2012-02-22T00:00:00Z", "advisory" : "RHSA-2012:0325", "cpe" : "cpe:/a:redhat:jboss_soa_platform:5.2" }, { "product_name" : "Red Hat JBoss Web Platform 5.1", "release_date" : "2012-01-31T00:00:00Z", "advisory" : "RHSA-2012:0077", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_platform:5.1" }, { "product_name" : "Red Hat JBoss Web Server 1.0", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0679", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1.0" }, { "product_name" : "Red Hat JBoss Web Server 1.0", "release_date" : "2012-05-21T00:00:00Z", "advisory" : "RHSA-2012:0681", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:1.0" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "tomcat5", "cpe" : "cpe:/o:redhat:enterprise_linux:5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2011-2526\nhttps://nvd.nist.gov/vuln/detail/CVE-2011-2526" ], "name" : "CVE-2011-2526", "csaw" : false }