CVE-2008-5515: Path Traversal
First published: Tue Jun 16 2009(Updated: )
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Tomcat | =5.5.27 | |
| Apache Tomcat | =4.1.2 | |
| Apache Tomcat | =4.1.35 | |
| Apache Tomcat | =4.1.36 | |
| Apache Tomcat | =5.5.18 | |
| Apache Tomcat | =4.1.21 | |
| Apache Tomcat | =6.0.6 | |
| Apache Tomcat | =5.5.12 | |
| Apache Tomcat | =5.5.14 | |
| Apache Tomcat | =4.1.24 | |
| Apache Tomcat | =5.5.10 | |
| Apache Tomcat | =5.5.4 | |
| Apache Tomcat | =5.5.7 | |
| Apache Tomcat | =5.5.1 | |
| Apache Tomcat | =6.0.7 | |
| Apache Tomcat | =5.5.11 | |
| Apache Tomcat | =4.1.25 | |
| Apache Tomcat | =6.0.4 | |
| Apache Tomcat | =5.5.6 | |
| Apache Tomcat | =5.5.26 | |
| Apache Tomcat | =4.1.39 | |
| Apache Tomcat | =5.5.20 | |
| Apache Tomcat | =5.5.15 | |
| Apache Tomcat | =5.5.5 | |
| Apache Tomcat | =4.1.27 | |
| Apache Tomcat | =6.0.15 | |
| Apache Tomcat | =4.1.30 | |
| Apache Tomcat | =4.1.38 | |
| Apache Tomcat | =4.1.11 | |
| Apache Tomcat | =5.5.21 | |
| Apache Tomcat | =4.1.18 | |
| Apache Tomcat | =5.5.22 | |
| Apache Tomcat | =4.1.14 | |
| Apache Tomcat | =6.0.10 | |
| Apache Tomcat | =6.0.3 | |
| Apache Tomcat | =4.1.19 | |
| Apache Tomcat | =6.0.9 | |
| Apache Tomcat | =4.1.31 | |
| Apache Tomcat | =5.5.3 | |
| Apache Tomcat | =4.1.16 | |
| Apache Tomcat | =4.1.29 | |
| Apache Tomcat | =6.0.17 | |
| Apache Tomcat | =4.1.22 | |
| Apache Tomcat | =6.0 | |
| Apache Tomcat | =4.1.26 | |
| Apache Tomcat | =4.1.13 | |
| Apache Tomcat | =5.5.9 | |
| Apache Tomcat | =5.5.25 | |
| Apache Tomcat | =6.0.0 | |
| Apache Tomcat | =4.1.17 | |
| Apache Tomcat | =6.0.14 | |
| Apache Tomcat | =5.5.2 | |
| Apache Tomcat | =4.1.33 | |
| Apache Tomcat | =5.5.0 | |
| Apache Tomcat | =4.1.1 | |
| Apache Tomcat | =5.5.13 | |
| Apache Tomcat | =6.0.1 | |
| Apache Tomcat | =6.0.12 | |
| Apache Tomcat | =5.5.24 | |
| Apache Tomcat | =4.1.12 | |
| Apache Tomcat | =4.1.28 | |
| Apache Tomcat | =6.0.18 | |
| Apache Tomcat | =4.1.15 | |
| Apache Tomcat | =4.1.10 | |
| Apache Tomcat | =5.5.8 | |
| Apache Tomcat | =5.5.16 | |
| Apache Tomcat | =4.1.0 | |
| Apache Tomcat | =6.0.5 | |
| Apache Tomcat | =4.1.20 | |
| Apache Tomcat | =5.5.17 | |
| Apache Tomcat | =4.1.3 | |
| Apache Tomcat | =5.5.19 | |
| Apache Tomcat | =4.1.23 | |
| Apache Tomcat | =4.1.34 | |
| Apache Tomcat | =4.1.32 | |
| Apache Tomcat | =4.1.37 | |
| Apache Tomcat | =6.0.2 | |
| Apache Tomcat | =6.0.13 | |
| Apache Tomcat | =5.5.23 | |
| Apache Tomcat | =6.0.16 | |
| maven/org.apache.tomcat:tomcat | >=6.0.0<6.0.20 | 6.0.20 |
| maven/org.apache.tomcat:tomcat | >=5.5.0<5.5.28 | 5.5.28 |
| maven/org.apache.tomcat:tomcat | >=4.1.0<4.1.40 | 4.1.40 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.vupen.com/english/advisories/2009/1520
- http://www.securityfocus.com/bid/35263
- http://tomcat.apache.org/security-5.html
- http://tomcat.apache.org/security-4.html
- http://jvn.jp/en/jp/JVN63832775/index.html
- http://tomcat.apache.org/security-6.html
- http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html
- http://secunia.com/advisories/35393
- http://www.vupen.com/english/advisories/2009/1535
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
- http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
- http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
- http://secunia.com/advisories/35685
- http://www.vupen.com/english/advisories/2009/1856
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
- http://secunia.com/advisories/35788
- http://www.vmware.com/security/advisories/VMSA-2009-0016.html
- http://secunia.com/advisories/37460
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
- https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
- http://www.vupen.com/english/advisories/2009/3316
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://support.apple.com/kb/HT4077
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
- http://secunia.com/advisories/39317
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:176
- http://marc.info/?l=bugtraq&m=129070310906557&w=2
- http://www.vupen.com/english/advisories/2010/3056
- http://secunia.com/advisories/42368
- http://secunia.com/advisories/44183
- http://www.debian.org/security/2011/dsa-2207
- http://marc.info/?l=bugtraq&m=136485229118404&w=2
- http://marc.info/?l=bugtraq&m=127420533226623&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422
- http://www.securityfocus.com/archive/1/507985/100/0/threaded
- http://www.securityfocus.com/archive/1/504202/100/0/threaded
- http://www.securityfocus.com/archive/1/504170/100/0/threaded
- https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2008-5515
- https://github.com/apache/tomcat/commit/6b61911f94d6d8d49ee933c5f1882a7e7c336d2c
- https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:10422
- https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:19452
- https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6445
- https://github.com/advisories/GHSA-9737-qmgc-hfr9 (Advisory)
- collector/nvd-historical
- collector/nvd-index
- agent/type
- agent/remedy
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-9737-qmgc-hfr9
- alias/CVE-2008-5515
- agent/software-canonical-lookup
- agent/severity
- agent/weakness
- agent/references
- agent/last-modified-date
- agent/description
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- collector/github-advisory
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/5.5.27
- version/apache tomcat/4.1.2
- version/apache tomcat/4.1.35
- version/apache tomcat/4.1.36
- version/apache tomcat/5.5.18
- version/apache tomcat/4.1.21
- version/apache tomcat/6.0.6
- version/apache tomcat/5.5.12
- version/apache tomcat/5.5.14
- version/apache tomcat/4.1.24
- version/apache tomcat/5.5.10
- version/apache tomcat/5.5.4
- version/apache tomcat/5.5.7
- version/apache tomcat/5.5.1
- version/apache tomcat/6.0.7
- version/apache tomcat/5.5.11
- version/apache tomcat/4.1.25
- version/apache tomcat/6.0.4
- version/apache tomcat/5.5.6
- version/apache tomcat/5.5.26
- version/apache tomcat/4.1.39
- version/apache tomcat/5.5.20
- version/apache tomcat/5.5.15
- version/apache tomcat/5.5.5
- version/apache tomcat/4.1.27
- version/apache tomcat/6.0.15
- version/apache tomcat/4.1.30
- version/apache tomcat/4.1.38
- version/apache tomcat/4.1.11
- version/apache tomcat/5.5.21
- version/apache tomcat/4.1.18
- version/apache tomcat/5.5.22
- version/apache tomcat/4.1.14
- version/apache tomcat/6.0.10
- version/apache tomcat/6.0.3
- version/apache tomcat/4.1.19
- version/apache tomcat/6.0.9
- version/apache tomcat/4.1.31
- version/apache tomcat/5.5.3
- version/apache tomcat/4.1.16
- version/apache tomcat/4.1.29
- version/apache tomcat/6.0.17
- version/apache tomcat/4.1.22
- version/apache tomcat/6.0
- version/apache tomcat/4.1.26
- version/apache tomcat/4.1.13
- version/apache tomcat/5.5.9
- version/apache tomcat/5.5.25
- version/apache tomcat/6.0.0
- version/apache tomcat/4.1.17
- version/apache tomcat/6.0.14
- version/apache tomcat/5.5.2
- version/apache tomcat/4.1.33
- version/apache tomcat/5.5.0
- version/apache tomcat/4.1.1
- version/apache tomcat/5.5.13
- version/apache tomcat/6.0.1
- version/apache tomcat/6.0.12
- version/apache tomcat/5.5.24
- version/apache tomcat/4.1.12
- version/apache tomcat/4.1.28
- version/apache tomcat/6.0.18
- version/apache tomcat/4.1.15
- version/apache tomcat/4.1.10
- version/apache tomcat/5.5.8
- version/apache tomcat/5.5.16
- version/apache tomcat/4.1.0
- version/apache tomcat/6.0.5
- version/apache tomcat/4.1.20
- version/apache tomcat/5.5.17
- version/apache tomcat/4.1.3
- version/apache tomcat/5.5.19
- version/apache tomcat/4.1.23
- version/apache tomcat/4.1.34
- version/apache tomcat/4.1.32
- version/apache tomcat/4.1.37
- version/apache tomcat/6.0.2
- version/apache tomcat/6.0.13
- version/apache tomcat/5.5.23
- version/apache tomcat/6.0.16
- package-manager/maven