CVE: CVE-2011-1183 Risk: Medium Severity: Important Vendor: The Apache Software Foundation Versions Affected: Tomcat 7.0.11, earlier versions are not affected Description: A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete. Mitigation: - Upgrade to a Tomcat 7.0.12 or later - Ensure a login configuration is defined in web.xml Credit: This issue was identified by the Apache Tomcat security team. References: - http://tomcat.apache.org/security.html - http://tomcat.apache.org/security-7.html - http://svn.apache.org/viewvc?view=revision&revision=1087643 - http://www.securityfocus.com/bid/47196 - http://tomcat.apache.org/security-7.html - http://seclists.org/fulldisclosure/2011/Apr/96