cbcvebase.
CVE-2003-0042
published 2003-02-07

CVE-2003-0042: Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present…

PriorityP428medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
46.03%
98.7th percentile
Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character.

Affected

9 ranges
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

commandGET /\x00.jsp HTTP/1.0
commandGET /admin/WEB-INF\classes/ContextAdmin.java\x00.jsp HTTP/1.0
commandGET /examples/jsp/cal/cal1.jsp\x00.html HTTP/1.0
path/admin/WEB-INF\classes/ContextAdmin.java
path/examples/jsp/cal/cal1.jsp
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL WEB_SERVER Tomcat null byte directory listing attempt"; flow:established,to_server; http.uri; content:"|00|.jsp"; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; classtype:web-application-attack; sid:2102061; rev:9; metadata:created_at 2010_09_23, cve CVE_2003_0042, signature_severity Unknown, updated_at 2024_03_08;)
bytes
|00|.jsp
  • Look for HTTP requests containing a null byte (%00 / \x00) in the URI, particularly before a .jsp or .html extension — this is the core exploit pattern for CVE-2003-0042.
  • Inspect HTTP URIs for backslash ('\') characters combined with null bytes, as both are used in the exploit to traverse paths and disclose file contents.
  • Monitor for directory listing responses or raw JSP source code returned by Tomcat 3.x on port 8080, which may indicate successful exploitation via null-byte injection.
  • The Snort/Suricata rule (sid:2102061) triggers on HTTP URI content matching the null byte followed by .jsp (|00|.jsp) inbound to the home network — deploy this rule on network sensors.
  • ·The vulnerability only applies when Tomcat is used together with JDK 1.3.1 or earlier — systems running a newer JDK are not affected even if running a vulnerable Tomcat version.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.