CVE-2008-5515

Apache Tomcat <6.0.19 - Path Traversal

Title source: llm
STIX 2.1

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

References (47)

Core 47
Core References
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504202/100/0/threaded
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35263
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1520
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/507985/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-4.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=127420533226623&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39317
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1535
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2011/dsa-2207
Patch third-party-advisory x_refsource_jvn
http://jvn.jp/en/jp/JVN63832775/index.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=136485229118404&w=2
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/37460
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/3056
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35788
Mailing List vendor-advisory x_refsource_apple
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/44183
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/1856
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/504170/100/0/threaded
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/42368
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-6.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35393
Vendor Advisory x_refsource_confirm
http://support.apple.com/kb/HT4077
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35685
Patch, Vendor Advisory x_refsource_confirm
http://tomcat.apache.org/security-5.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=129070310906557&w=2
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
Vendor Advisory vendor-advisory x_refsource_sunalert
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2009/3316

Scores

EPSS 0.1868
EPSS Percentile 96.9%

Details

CWE
CWE-22
Status published
Products (50)
apache/tomcat 4.1.0
apache/tomcat 4.1.1
apache/tomcat 4.1.2
apache/tomcat 4.1.3
apache/tomcat 4.1.10
apache/tomcat 4.1.11
apache/tomcat 4.1.12
apache/tomcat 4.1.13
apache/tomcat 4.1.14
apache/tomcat 4.1.15
... and 40 more
Published Jun 16, 2009
Tracked Since Feb 18, 2026