[Forgot Password]
Login  Register Subscribe

24128

 
 

131615

 
 

114411

 
 

909

 
 

88812

 
 

136

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2008-5515Date: (C)2009-06-16   (M)2018-09-27


Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V2 Severity:
CVSS Score : 5.0
Exploit Score: 10.0
Impact Score: 2.9
 
CVSS V2 Metrics:
Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality: PARTIAL
Integrity: NONE
Availability: NONE
  
Reference:
http://www.securityfocus.com/archive/1/archive/1/504170/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/504202/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded
SUNALERT-263529
BID-35263
SECUNIA-35393
SECUNIA-35685
SECUNIA-35788
SECUNIA-37460
SECUNIA-39317
SECUNIA-42368
SECUNIA-44183
ADV-2009-1520
ADV-2009-1535
ADV-2009-1856
ADV-2009-3316
ADV-2010-3056
APPLE-SA-2010-03-29-1
DSA-2207
FEDORA-2009-11352
FEDORA-2009-11356
FEDORA-2009-11374
HPSBUX02579
HPSBUX02860
JVN#63832775
MDVSA-2009:136
MDVSA-2009:138
MDVSA-2010:176
SSRT100029
SSRT100203
SSRT101146
SUSE-SR:2009:012
SUSE-SR:2010:008
http://support.apple.com/kb/HT4077
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
http://tomcat.apache.org/security-6.html
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html
http://www.vmware.com/security/advisories/VMSA-2009-0016.html

CPE    58
cpe:/a:apache:tomcat:5.5.3
cpe:/a:apache:tomcat:5.5.2
cpe:/a:apache:tomcat:5.5.5
cpe:/a:apache:tomcat:5.5.4
...
CWE    1
CWE-22
OVAL    13
oval:org.secpod.oval:def:301162
oval:org.secpod.oval:def:102261
oval:org.secpod.oval:def:20823
oval:org.secpod.oval:def:301232
...

© SecPod Technologies