CVE-2002-2007

Apache Tomcat 3.2.3-3.2.4 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2002-2007. PoCs published by Richard Brain.

AI-analyzed exploit summary This is a writeup describing an information disclosure vulnerability in Apache Tomcat's default example JSP files. The vulnerability allows an attacker to retrieve the absolute path to the server's web root by requesting specific JSP files without input.

Description

The default installations of Apache Tomcat 3.2.3 and 3.2.4 allows remote attackers to obtain sensitive system information such as directory listings and web root path, via erroneous HTTP requests for Java Server Pages (JSP) in the (1) test/jsp, (2) samples/jsp and (3) examples/jsp directories, or the (4) test/realPath.jsp servlet, which leaks pathnames in error messages.

Exploits (3)

exploitdb WRITEUP VERIFIED
by Richard Brain · textremotemultiple
https://www.exploit-db.com/exploits/21491

This is a writeup describing an information disclosure vulnerability in Apache Tomcat's default example JSP files. The vulnerability allows an attacker to retrieve the absolute path to the server's web root by requesting specific JSP files without input.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (default configuration)
No auth needed
Prerequisites: Apache Tomcat installed with default example files
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Richard Brain · textremotemultiple
https://www.exploit-db.com/exploits/21490

This is a writeup describing an information leakage vulnerability in Apache Tomcat where malformed requests to source.jsp can expose sensitive server configuration details, including the web root directory and potential directory listings.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (version not specified)
No auth needed
Prerequisites: Access to the Tomcat server's examples/jsp/source.jsp endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WRITEUP VERIFIED
by Richard Brain · textremotemultiple
https://www.exploit-db.com/exploits/21492

The provided text describes an information leakage vulnerability in Apache Tomcat where accessing the realPath.jsp page discloses the web root directory. This is not a functional exploit but rather a description of the vulnerability and its impact.

Classification
Writeup 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Apache Tomcat (version not specified)
No auth needed
Prerequisites: Access to the realPath.jsp page on a vulnerable Tomcat server
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/116963
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4876
Third Party Advisory vdb-entry x_refsource_xf
http://www.iss.net/security_center/static/9208.php
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4877
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/4878

Scores

EPSS 0.4140
EPSS Percentile 98.5%

Details

Status published
Products (2)
apache/tomcat 3.2.3
apache/tomcat 3.2.4
Published Dec 31, 2002
Tracked Since Feb 18, 2026