VYPR
← All advisories
Moderate severityNVD Advisory· Published Mar 14, 2011· Updated Apr 29, 2026

CVE-2011-1419

CVE-2011-1419

Description

Apache Tomcat 7.x before 7.0.11 fails to enforce ServletSecurity annotations when web.xml lacks security constraints, allowing unauthorized access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat 7.x before 7.0.11 fails to enforce ServletSecurity annotations when web.xml lacks security constraints, allowing unauthorized access.

Vulnerability

Apache Tomcat 7.x versions prior to 7.0.11, when the web.xml deployment descriptor contains no security constraints, do not enforce @ServletSecurity annotations on servlets. This is due to an incomplete fix for CVE-2011-1088; the authenticatorConfig() method in org.apache.catalina.startup would return early if no SecurityConstraint objects were found, bypassing annotation-based security [1][3]. Affected versions: Tomcat 7.0.0 through 7.0.10.

Exploitation

An attacker can send HTTP requests to a web application that relies on @ServletSecurity annotations for access control, provided the application's web.xml does not define any `` elements. No authentication or special network position is required; the attacker simply sends a request to a protected resource. The server will process the request without applying the annotation-defined constraints, as the authenticator is never configured [2][3].

Impact

Successful exploitation allows remote attackers to bypass intended access restrictions, potentially accessing resources that should be protected (e.g., requiring certain roles). This can lead to unauthorized information disclosure or privilege escalation, depending on the application's security model [1][2].

Mitigation

The vulnerability is fixed in Apache Tomcat 7.0.11, released in March 2011 [1]. Users should upgrade to 7.0.11 or later. Note that Tomcat 7.0.x has reached end of life and is no longer supported; users are advised to upgrade to Tomcat 9.0.x or later for ongoing security fixes [1]. No workaround is documented; the fix ensures the authenticator is always configured even when no constraints are present in web.xml [3].

References
  1. Apache Tomcat® - Apache Tomcat 7 vulnerabilities
  2. NVD - CVE-2011-1419
  3. CVE-2011-1088 · apache/tomcat@0ff4905

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 7.0, < 7.0.117.0.11

Affected products

13
  • Apache/Tomcat12 versions
    cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*+ 11 more
    • cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
  • ghsa-coords
    pkg:maven/org.apache.tomcat/tomcat
    Range: >= 7.0, < 7.0.11

Patches

2
3e5b0455483e

CVE-2011-1088

https://github.com/apache/tomcatMark Emlyn David ThomasMar 9, 2011via ghsa
commit
3 files changed · +17 4
  • java/org/apache/catalina/core/StandardWrapper.java+6 1 modified
    @@ -1145,9 +1145,14 @@ private void processServletSecurityAnnotation(Servlet servlet) {
         // Calling this twice isn't harmful so no syncs
         servletSecurityAnnotationScanRequired = false;
 
+        Context ctxt = (Context) getParent();
+        
+        if (ctxt.getIgnoreAnnotations()) {
+            return;
+        }
+
         ServletSecurity secAnnotation =
             servlet.getClass().getAnnotation(ServletSecurity.class);
-        Context ctxt = (Context) getParent();
         if (secAnnotation != null) {
             ctxt.addServletSecurity(
                     new ApplicationServletRegistration(this, ctxt),
  • java/org/apache/catalina/startup/ContextConfig.java+8 3 modified
    @@ -366,11 +366,16 @@ protected void applicationAnnotationsConfig() {
      */
     protected synchronized void authenticatorConfig() {
 
-        // Always need an authenticator to support @ServletSecurity annotations
         LoginConfig loginConfig = context.getLoginConfig();
         if (loginConfig == null) {
-            loginConfig = DUMMY_LOGIN_CONFIG;
-            context.setLoginConfig(loginConfig);
+            if (context.getIgnoreAnnotations())  {
+                return;
+            } else {
+                // Not metadata-complete, need an authenticator to support
+                // @ServletSecurity annotations
+                loginConfig = DUMMY_LOGIN_CONFIG;
+                context.setLoginConfig(loginConfig);
+            }
         }
 
         // Has an authenticator been configured already?
  • test/webapp-3.0/WEB-INF/web.xml+3 0 modified
    @@ -113,4 +113,7 @@
     <url-pattern>/testStandardWrapper/securityAnnotationsMetaDataPriority</url-pattern>  
   </servlet-mapping>
 
+  <login-config>
+    <auth-method>BASIC</auth-method>
+  </login-config>
 </web-app>
\ No newline at end of file
0ff4905158b7

CVE-2011-1088

https://github.com/apache/tomcatMark Emlyn David ThomasMar 9, 2011via ghsa
commit
4 files changed · +75 8
  • java/org/apache/catalina/startup/ContextConfig.java+1 4 modified
    @@ -366,10 +366,7 @@ protected void applicationAnnotationsConfig() {
      */
     protected synchronized void authenticatorConfig() {
 
-        // Does this Context require an Authenticator?
-        SecurityConstraint constraints[] = context.findConstraints();
-        if ((constraints == null) || (constraints.length == 0))
-            return;
+        // Always need an authenticator to support @ServletSecurity annotations
         LoginConfig loginConfig = context.getLoginConfig();
         if (loginConfig == null) {
             loginConfig = DUMMY_LOGIN_CONFIG;
  • test/org/apache/catalina/core/TestStandardWrapper.java+18 0 modified
    @@ -125,6 +125,24 @@ public void testSecurityAnnotationsAddServlet2() throws Exception {
         doTestSecurityAnnotationsAddServlet(true);
     }
     
+    public void testSecurityAnnotationsNoWebXmlConstraints() throws Exception {
+        // Setup Tomcat instance
+        Tomcat tomcat = getTomcatInstance();
+        
+        File appDir = new File("test/webapp-3.0-servletsecurity");
+        tomcat.addWebapp(null, "", appDir.getAbsolutePath());
+        
+        tomcat.start();
+        
+        ByteChunk bc = new ByteChunk();
+        int rc;
+        rc = getUrl("http://localhost:" + getPort() + "/",
+                bc, null, null);
+        
+        assertNull(bc.toString());
+        assertEquals(403, rc);
+    }
+
     private void doTestSecurityAnnotationsAddServlet(boolean useCreateServlet)
             throws Exception {
  • test/webapp-3.0-servletsecurity/WEB-INF/web.xml+48 0 added
    @@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<web-app xmlns="http://java.sun.com/xml/ns/javaee"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://java.sun.com/xml/ns/javaee
+                      http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+  version="3.0">  
+
+  <!--
+    WARNING:
+    For the unit tests to work correctly, no security constraints may be
+    configured in the web.xml. A login-config section is permitted but not
+    necessary for the tests. Adding a login-config would require changing the
+    return code checked in the unit tests.
+  -->
+
+  <display-name>Tomcat Test Application</display-name>
+  <description>
+     Used as part of the Tomcat unit tests when a full web application is
+     required.
+  </description>
+  
+  <servlet>
+    <servlet-name>RoleProtected</servlet-name>
+    <servlet-class>org.apache.catalina.core.TestStandardWrapper$RoleAllowServlet</servlet-class>
+  </servlet>
+
+  <servlet-mapping>
+    <servlet-name>RoleProtected</servlet-name>
+    <url-pattern>/</url-pattern>
+  </servlet-mapping>
+
+</web-app>
\ No newline at end of file
  • webapps/docs/changelog.xml+8 4 modified
    @@ -45,6 +45,10 @@
 <section name="Tomcat 7.0.11 (markt)">
   <subsection name="Catalina">
     <changelog>
+      <fix>
+        CVE-2011-1088: Completed fix. Don&apos;t ignore @ServletSecurity
+        annotations. (markt)
+      </fix>
       <add>
         <bug>25060</bug>: Close Apache Commons DBCP datasources when the
         associated JNDI naming context is stopped (e.g. for a non-global
@@ -87,6 +91,10 @@
 <section name="Tomcat 7.0.10 (markt)"  rtext="released 2011-03-08">
   <subsection name="Catalina">
     <changelog>
+      <fix>
+        CVE-2011-1088: Partial fix. Don&apos;t ignore @ServletSecurity
+        annotations. (markt)
+      </fix>
       <fix>
         <bug>27988</bug>: Improve reporting of missing files. (markt)
       </fix>
@@ -103,10 +111,6 @@
         Improve shut down speed by not renewing threads during shut down when
         the <code>ThreadLocalLeakPreventionListener</code> is enabled. (markt)  
       </fix>
-      <fix>
-        CVE-2011-1088: Partial fix. Don&apos;t ignore @ServletSecurity
-        annotations. (markt)
-      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

21

News mentions

0

No linked articles in our index yet.