RHSA-2008:0877: Important: jbossweb security update

First published: Mon Sep 22 2008(Updated: )

JBoss Web Server (jbossweb) is an enterprise ready web server designed for<br>medium and large applications, is based on Apache Tomcat, and is embedded<br>into JBoss Application Server. It provides organizations with a single<br>deployment platform for JavaServer Pages (JSP) and Java Servlet<br>technologies, Microsoft® .NET, PHP, and CGI.<br>A traversal vulnerability was discovered when using a RequestDispatcher<br>in combination with a servlet or JSP. A remote attacker could utilize a<br>specially-crafted request parameter to access protected web resources.<br>(CVE-2008-2370)<br>An additional traversal vulnerability was discovered when the<br>"allowLinking" and "URIencoding" settings were activated. A remote attacker<br>could use a UTF-8-encoded request to extend their privileges and obtain<br>local files accessible to the jbossweb process. (CVE-2008-2938)<br>Users of jbossweb should upgrade to this updated package, which contains<br>backported patches to resolve these issues.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2008:0877
• agent/references
• agent/title
• agent/severity
• agent/type
• agent/tags
• agent/description
• agent/event
• agent/first-publish-date
• agent/softwarecombine
• agent/remedy
• agent/last-modified-date
• package-manager/redhat