Moderate severityNVD Advisory· Published Aug 15, 2011· Updated Apr 29, 2026

CVE-2011-2481

Description

Apache Tomcat 7.0.x before 7.0.17 allows a malicious web application to replace the XML parser, enabling access to other apps' configuration files.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat 7.0.x before 7.0.17 allows a malicious web application to replace the XML parser, enabling access to other apps' configuration files.

Vulnerability

Apache Tomcat 7.0.x before 7.0.17 permits a web application to replace the XML parser used by other web applications. This is a regression of CVE-2009-0783. Affected versions are 7.0.0 through 7.0.16. [1]

Exploitation

An attacker must deploy a crafted web application on the same Tomcat instance, loaded earlier than the target application. The attacker can then replace the XML parser, allowing them to read or modify web.xml, context.xml, or tld files of other applications. No authentication beyond the ability to deploy a web application is required. [1][3]

Impact

Successful exploitation allows a local user (with the ability to deploy applications) to read or modify configuration files of arbitrary web applications, potentially leading to information disclosure or privilege escalation within the Tomcat environment. [1]

Mitigation

Upgrade to Apache Tomcat 7.0.17 or later. Tomcat 7.0.x has reached end of life and is no longer supported; users should upgrade to 9.0.x or later to receive security fixes. [1] No workaround is documented.

References

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.tomcat:tomcatMaven	>= 7.0.0, < 7.0.17	7.0.17

Affected products

Apache/Tomcat16 versions
cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*+ 15 more
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
ghsa-coords
pkg:maven/org.apache.tomcat/tomcat
Range: >= 7.0.0, < 7.0.17

Patches

279e4451cb99

Revert r1137753 - I have a better soution in mind

https://github.com/apache/tomcatMark Emlyn David ThomasJun 23, 2011via ghsa

commit

1 file changed · +25 −27

java/org/apache/catalina/startup/ContextConfig.java+25 −27 modified

@@ -229,32 +229,6 @@ public class ContextConfig
                                 new LoginConfig("NONE", null, null, null);
 
 
-    static {
-        webDigesters[0] = DigesterFactory.newDigester(false, false, webRuleSet);
-        webDigesters[0].getParser();
-        webFragmentDigesters[0] = DigesterFactory.newDigester(false, false,
-                webFragmentRuleSet);
-        webFragmentDigesters[0].getParser();
-
-        webDigesters[1] = DigesterFactory.newDigester(true, false, webRuleSet);
-        webDigesters[1].getParser();
-        webFragmentDigesters[1] = DigesterFactory.newDigester(true, false,
-                webFragmentRuleSet);
-        webFragmentDigesters[1].getParser();
-
-        webDigesters[2] = DigesterFactory.newDigester(false, true, webRuleSet);
-        webDigesters[2].getParser();
-        webFragmentDigesters[2] = DigesterFactory.newDigester(false, true,
-                webFragmentRuleSet);
-        webFragmentDigesters[2].getParser();
-
-        webDigesters[3] = DigesterFactory.newDigester(true, true, webRuleSet);
-        webDigesters[3].getParser();
-        webFragmentDigesters[3] = DigesterFactory.newDigester(true, true,
-                webFragmentRuleSet);
-        webFragmentDigesters[3].getParser();
-    }
-
     // ------------------------------------------------------------- Properties
 
 
@@ -501,22 +475,46 @@ protected synchronized void authenticatorConfig() {
      * Create (if necessary) and return a Digester configured to process the
      * web application deployment descriptor (web.xml).
      */
-    protected void createWebXmlDigester(boolean namespaceAware,
+    public void createWebXmlDigester(boolean namespaceAware,
             boolean validation) {
         
         if (!namespaceAware && !validation) {
+            if (webDigesters[0] == null) {
+                webDigesters[0] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webRuleSet);
+                webFragmentDigesters[0] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webFragmentRuleSet);
+            }
             webDigester = webDigesters[0];
             webFragmentDigester = webFragmentDigesters[0];
             
         } else if (!namespaceAware && validation) {
+            if (webDigesters[1] == null) {
+                webDigesters[1] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webRuleSet);
+                webFragmentDigesters[1] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webFragmentRuleSet);
+            }
             webDigester = webDigesters[1];
             webFragmentDigester = webFragmentDigesters[1];
             
         } else if (namespaceAware && !validation) {
+            if (webDigesters[2] == null) {
+                webDigesters[2] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webRuleSet);
+                webFragmentDigesters[2] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webFragmentRuleSet);
+            }
             webDigester = webDigesters[2];
             webFragmentDigester = webFragmentDigesters[2];
             
         } else {
+            if (webDigesters[3] == null) {
+                webDigesters[3] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webRuleSet);
+                webFragmentDigesters[3] = DigesterFactory.newDigester(validation,
+                        namespaceAware, webFragmentRuleSet);
+            }
             webDigester = webDigesters[3];
             webFragmentDigester = webFragmentDigesters[3];
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

svn.apache.org/viewvcnvdPatchWEB
svn.apache.org/viewvcnvdPatchWEB
tomcat.apache.org/security-7.htmlnvdPatchVendor AdvisoryWEB
issues.apache.org/bugzilla/show_bug.cginvdExploitWEB
github.com/advisories/GHSA-r7c8-hghc-2mp8ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2011-2481ghsaADVISORY
marc.infonvdWEB
github.com/apache/tomcat/commit/279e4451cb996f810fbca2f78b6340412d9daa7bghsaWEB
web.archive.org/web/20111209022500/http://www.securityfocus.com/bid/49147ghsaWEB
web.archive.org/web/20161127215021/http://securitytracker.com/idghsaWEB
secunia.com/advisories/57126nvd
securitytracker.com/idnvd
www.securityfocus.com/bid/49147nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000