CVE-2005-4836

Apache Tomcat <4.1.41 - Info Disclosure

Title source: llm
STIX 2.1

Description

The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.

Scores

EPSS 0.0350
EPSS Percentile 87.8%

Details

CWE
CWE-200
Status published
Products (26)
apache/tomcat 4.1.15
apache/tomcat 4.1.16
apache/tomcat 4.1.17
apache/tomcat 4.1.18
apache/tomcat 4.1.19
apache/tomcat 4.1.20
apache/tomcat 4.1.21
apache/tomcat 4.1.22
apache/tomcat 4.1.23
apache/tomcat 4.1.24
... and 16 more
Published Dec 31, 2005
Tracked Since Feb 18, 2026