[Forgot Password]
Login  Register Subscribe

23631

 
 

115083

 
 

97389

 
 

909

 
 

78730

 
 

109

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML

CVE-2008-5515

Date: (C)2009-06-16   (M)2017-10-04
 
CVSS Score: 5.0Access Vector: NETWORK
Exploitability Subscore: 10.0Access Complexity: LOW
Impact Subscore: 2.9Authentication: NONE
 Confidentiality: PARTIAL
 Integrity: NONE
 Availability: NONE











Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Reference:
http://www.securityfocus.com/archive/1/archive/1/504170/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504202/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded
SUNALERT-263529
BID-35263
SECUNIA-35393
SECUNIA-35685
SECUNIA-35788
SECUNIA-37460
SECUNIA-39317
SECUNIA-42368
SECUNIA-44183
ADV-2009-1520
ADV-2009-1535
ADV-2009-1856
ADV-2009-3316
ADV-2010-3056
APPLE-SA-2010-03-29-1
DSA-2207
FEDORA-2009-11352
FEDORA-2009-11356
FEDORA-2009-11374
HPSBUX02579
HPSBUX02860
JVN#63832775
MDVSA-2009:136
MDVSA-2009:138
MDVSA-2010:176
SSRT100029
SSRT100203
SSRT101146
SUSE-SR:2009:012
SUSE-SR:2010:008
http://support.apple.com/kb/HT4077
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html
http://www.vmware.com/security/advisories/VMSA-2009-0016.html

CPE    58
cpe:/a:apache:tomcat:6.0.18
cpe:/a:apache:tomcat:6.0.14
cpe:/a:apache:tomcat:6.0.13
cpe:/a:apache:tomcat:6.0.16
...
CWE    1
CWE-22
OVAL    13
oval:org.secpod.oval:def:102261
oval:org.secpod.oval:def:20823
oval:org.secpod.oval:def:301232
oval:org.secpod.oval:def:600224
...

© 2013 SecPod Technologies