CVE-2011-2526 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2011-2526 Interim 1 8 2023-02-15T02:27:00Z current 2021-05-30T12:58:18Z 2023-02-15T02:27:00Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2011-2526 Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 11 SP2 SUSE Linux Enterprise Server 11 SP3 SUSE Linux Enterprise Server 11 SP4 tomcat6-6.0.18-20.35.36.1 tomcat6-6.0.18-20.35.40.1 tomcat6-6.0.41-0.43.1 tomcat6-admin-webapps-6.0.18-20.35.36.1 tomcat6-admin-webapps-6.0.18-20.35.40.1 tomcat6-admin-webapps-6.0.41-0.43.1 tomcat6-docs-webapp-6.0.18-20.35.36.1 tomcat6-docs-webapp-6.0.18-20.35.40.1 tomcat6-docs-webapp-6.0.41-0.43.1 tomcat6-javadoc-6.0.18-20.35.36.1 tomcat6-javadoc-6.0.18-20.35.40.1 tomcat6-javadoc-6.0.41-0.43.1 tomcat6-jsp-2_1-api-6.0.18-20.35.36.1 tomcat6-jsp-2_1-api-6.0.18-20.35.40.1 tomcat6-jsp-2_1-api-6.0.41-0.43.1 tomcat6-lib-6.0.18-20.35.36.1 tomcat6-lib-6.0.18-20.35.40.1 tomcat6-lib-6.0.41-0.43.1 tomcat6-servlet-2_5-api-6.0.18-20.35.36.1 tomcat6-servlet-2_5-api-6.0.18-20.35.40.1 tomcat6-servlet-2_5-api-6.0.41-0.43.1 tomcat6-webapps-6.0.18-20.35.36.1 tomcat6-webapps-6.0.18-20.35.40.1 tomcat6-webapps-6.0.41-0.43.1 tomcat6-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-admin-webapps-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-docs-webapp-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-javadoc-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-jsp-2_1-api-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-lib-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-servlet-2_5-api-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-webapps-6.0.18-20.35.36.1 as a component of SUSE Linux Enterprise Server 11 SP2 tomcat6-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-admin-webapps-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-docs-webapp-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-javadoc-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-jsp-2_1-api-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-lib-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-servlet-2_5-api-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-webapps-6.0.18-20.35.40.1 as a component of SUSE Linux Enterprise Server 11 SP3 tomcat6-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-admin-webapps-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-docs-webapp-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-javadoc-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-jsp-2_1-api-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-lib-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-servlet-2_5-api-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-webapps-6.0.41-0.43.1 as a component of SUSE Linux Enterprise Server 11 SP4 Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. CVE-2011-2526 SUSE Linux Enterprise Server 11 SP2:tomcat6-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP2:tomcat6-admin-webapps-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP2:tomcat6-docs-webapp-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP2:tomcat6-javadoc-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP2:tomcat6-jsp-2_1-api-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP2:tomcat6-lib-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP2:tomcat6-servlet-2_5-api-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP2:tomcat6-webapps-6.0.18-20.35.36.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-admin-webapps-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-docs-webapp-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-javadoc-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-jsp-2_1-api-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-lib-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-servlet-2_5-api-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP3:tomcat6-webapps-6.0.18-20.35.40.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-6.0.41-0.43.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-admin-webapps-6.0.41-0.43.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-docs-webapp-6.0.41-0.43.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-javadoc-6.0.41-0.43.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-jsp-2_1-api-6.0.41-0.43.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-lib-6.0.41-0.43.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-servlet-2_5-api-6.0.41-0.43.1 SUSE Linux Enterprise Server 11 SP4:tomcat6-webapps-6.0.41-0.43.1 moderate 4.4 AV:L/AC:M/Au:N/C:P/I:P/A:P