Apache Tomcat “@ServletSecurity” Annotation Security Bypass


A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application not properly enforcing “@ServletSecurity” annotations when loading servlets. This can be exploited to e.g. bypass the security constraints specified via the annotations and disclose certain information.

The vulnerability is reported in versions 7.0.0 through 7.0.10.


Update to version 7.0.11.

Provided and/or discovered by
Michael McCutcheon

Further details available in Customer Area

Original Advisory

Source Advisory:

Download Apache Tomcat


1 thought on “Apache Tomcat “@ServletSecurity” Annotation Security Bypass”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s