Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error related to ignoring @ServletSecurity annotations. An attacker could exploit this vulnerability to bypass security restrictions and launch further attacks on the system.
Apache Tomcat versions 7.0.0 through 7.0.10.
Apache Tomcat May Ignore @ServletSecurity Annotation Protections. A remote user may be able to bypass @ServletSecurity annotation protections.
The vulnerability is caused due to the application not properly enforcing "@ServletSecurity" annotations when loading servlets. This can be exploited to e.g. bypass the security constraints specified via the annotations and disclose certain information.
The system ignores @ServletSecurity annotations when starting a web application. As a result, some areas of the application not receive the expected protection. A remote user may be able to bypass @ServletSecurity annotation protections.