CVE-2003-0042

Jakarta Tomcat <3.3.1a - Info Disclosure

Title source: llm

Description

Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Jouko PynnÃ¶nen · textremotelinux

https://www.exploit-db.com/exploits/22205

View Code ZIP pw:eip

References (10)

[Vendor Advisory] http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/

[Vendor Advisory] http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt

[Mailing List] http://marc.info/?l=bugtraq&m=104394568616290&w=2

[Third Party Advisory, US Government Resource] http://www.ciac.org/ciac/bulletins/n-060.shtml

[Patch, Vendor Advisory] http://www.debian.org/security/2003/dsa-246

[Third Party Advisory, VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/11194

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/advisories/5111

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/6721

[Third Party Advisory] http://secunia.com/advisories/7972

[Third Party Advisory] http://secunia.com/advisories/7977

Scores

EPSS 0.5583

EPSS Percentile 98.1%

Details

Status published

Products (10)

apache/tomcat 3.0

apache/tomcat 3.1

apache/tomcat 3.1.1

apache/tomcat 3.2

apache/tomcat 3.2.1

apache/tomcat 3.2.3

apache/tomcat 3.2.4

apache/tomcat 3.3

apache/tomcat 3.3.1

org.apache.tomcat/tomcat 0 - 3.3.1aMaven

Published Feb 07, 2003

Tracked Since Feb 18, 2026