Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2008-5515

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Published

2009-06-16T21:00:00.313

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 5.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	4.1.0	Yes
Application	apache	tomcat	4.1.1	Yes
Application	apache	tomcat	4.1.2	Yes
Application	apache	tomcat	4.1.3	Yes
Application	apache	tomcat	4.1.10	Yes
Application	apache	tomcat	4.1.11	Yes
Application	apache	tomcat	4.1.12	Yes
Application	apache	tomcat	4.1.13	Yes
Application	apache	tomcat	4.1.14	Yes
Application	apache	tomcat	4.1.15	Yes
Application	apache	tomcat	4.1.16	Yes
Application	apache	tomcat	4.1.17	Yes
Application	apache	tomcat	4.1.18	Yes
Application	apache	tomcat	4.1.19	Yes
Application	apache	tomcat	4.1.20	Yes
Application	apache	tomcat	4.1.21	Yes
Application	apache	tomcat	4.1.22	Yes
Application	apache	tomcat	4.1.23	Yes
Application	apache	tomcat	4.1.24	Yes
Application	apache	tomcat	4.1.25	Yes
Application	apache	tomcat	4.1.26	Yes
Application	apache	tomcat	4.1.27	Yes
Application	apache	tomcat	4.1.28	Yes
Application	apache	tomcat	4.1.29	Yes
Application	apache	tomcat	4.1.30	Yes
Application	apache	tomcat	4.1.31	Yes
Application	apache	tomcat	4.1.32	Yes
Application	apache	tomcat	4.1.33	Yes
Application	apache	tomcat	4.1.34	Yes
Application	apache	tomcat	4.1.35	Yes
Application	apache	tomcat	4.1.36	Yes
Application	apache	tomcat	4.1.37	Yes
Application	apache	tomcat	4.1.38	Yes
Application	apache	tomcat	4.1.39	Yes
Application	apache	tomcat	5.5.0	Yes
Application	apache	tomcat	5.5.1	Yes
Application	apache	tomcat	5.5.2	Yes
Application	apache	tomcat	5.5.3	Yes
Application	apache	tomcat	5.5.4	Yes
Application	apache	tomcat	5.5.5	Yes
Application	apache	tomcat	5.5.6	Yes
Application	apache	tomcat	5.5.7	Yes
Application	apache	tomcat	5.5.8	Yes
Application	apache	tomcat	5.5.9	Yes
Application	apache	tomcat	5.5.10	Yes
Application	apache	tomcat	5.5.11	Yes
Application	apache	tomcat	5.5.12	Yes
Application	apache	tomcat	5.5.13	Yes
Application	apache	tomcat	5.5.14	Yes
Application	apache	tomcat	5.5.15	Yes
Application	apache	tomcat	5.5.16	Yes
Application	apache	tomcat	5.5.17	Yes
Application	apache	tomcat	5.5.18	Yes
Application	apache	tomcat	5.5.19	Yes
Application	apache	tomcat	5.5.20	Yes
Application	apache	tomcat	5.5.21	Yes
Application	apache	tomcat	5.5.22	Yes
Application	apache	tomcat	5.5.23	Yes
Application	apache	tomcat	5.5.24	Yes
Application	apache	tomcat	5.5.25	Yes
Application	apache	tomcat	5.5.26	Yes
Application	apache	tomcat	5.5.27	Yes
Application	apache	tomcat	6.0	Yes
Application	apache	tomcat	6.0.0	Yes
Application	apache	tomcat	6.0.1	Yes
Application	apache	tomcat	6.0.2	Yes
Application	apache	tomcat	6.0.3	Yes
Application	apache	tomcat	6.0.4	Yes
Application	apache	tomcat	6.0.5	Yes
Application	apache	tomcat	6.0.6	Yes
Application	apache	tomcat	6.0.7	Yes
Application	apache	tomcat	6.0.9	Yes
Application	apache	tomcat	6.0.10	Yes
Application	apache	tomcat	6.0.12	Yes
Application	apache	tomcat	6.0.13	Yes
Application	apache	tomcat	6.0.14	Yes
Application	apache	tomcat	6.0.15	Yes
Application	apache	tomcat	6.0.16	Yes
Application	apache	tomcat	6.0.17	Yes
Application	apache	tomcat	6.0.18	Yes

References

http://jvn.jp/en/jp/JVN63832775/index.html Patch ([email protected])
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html ([email protected])
http://marc.info/?l=bugtraq&m=127420533226623&w=2 ([email protected])
http://marc.info/?l=bugtraq&m=127420533226623&w=2 ([email protected])
http://marc.info/?l=bugtraq&m=129070310906557&w=2 ([email protected])
http://marc.info/?l=bugtraq&m=129070310906557&w=2 ([email protected])
http://marc.info/?l=bugtraq&m=136485229118404&w=2 ([email protected])
http://marc.info/?l=bugtraq&m=136485229118404&w=2 ([email protected])
http://secunia.com/advisories/35393 ([email protected])
http://secunia.com/advisories/35685 ([email protected])
http://secunia.com/advisories/35788 ([email protected])
http://secunia.com/advisories/37460 ([email protected])
http://secunia.com/advisories/39317 ([email protected])
http://secunia.com/advisories/42368 ([email protected])
http://secunia.com/advisories/44183 ([email protected])
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 ([email protected])
http://support.apple.com/kb/HT4077 ([email protected])
http://tomcat.apache.org/security-4.html Patch, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-5.html Patch, Vendor Advisory ([email protected])
http://tomcat.apache.org/security-6.html Patch, Vendor Advisory ([email protected])
http://www.debian.org/security/2011/dsa-2207 ([email protected])
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 ([email protected])
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 ([email protected])
http://www.securityfocus.com/archive/1/504170/100/0/threaded ([email protected])
http://www.securityfocus.com/archive/1/504202/100/0/threaded ([email protected])
http://www.securityfocus.com/archive/1/507985/100/0/threaded ([email protected])
http://www.securityfocus.com/bid/35263 Patch ([email protected])
http://www.vmware.com/security/advisories/VMSA-2009-0016.html ([email protected])
http://www.vupen.com/english/advisories/2009/1520 Patch, Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2009/1535 ([email protected])
http://www.vupen.com/english/advisories/2009/1856 ([email protected])
http://www.vupen.com/english/advisories/2009/3316 ([email protected])
http://www.vupen.com/english/advisories/2010/3056 ([email protected])
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452 ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445 ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html ([email protected])
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html ([email protected])
http://jvn.jp/en/jp/JVN63832775/index.html Patch (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127420533226623&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=127420533226623&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=129070310906557&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=129070310906557&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136485229118404&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://marc.info/?l=bugtraq&m=136485229118404&w=2 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35393 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35685 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/35788 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/37460 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/39317 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/42368 (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/44183 (af854a3a-2127-422b-91ae-364da2661108)
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 (af854a3a-2127-422b-91ae-364da2661108)
http://support.apple.com/kb/HT4077 (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-4.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-5.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-6.html Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2011/dsa-2207 (af854a3a-2127-422b-91ae-364da2661108)
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 (af854a3a-2127-422b-91ae-364da2661108)
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/504170/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/504202/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/archive/1/507985/100/0/threaded (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/35263 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.vmware.com/security/advisories/VMSA-2009-0016.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/1520 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/1535 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/1856 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2009/3316 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2010/3056 (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452 (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445 (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html (af854a3a-2127-422b-91ae-364da2661108)
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html (af854a3a-2127-422b-91ae-364da2661108)