cbcvebase.
CVE-2006-3835
published 2006-07-25

CVE-2006-3835: Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by…

PriorityP336medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
45.58%
98.6th percentile
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do.

Affected

5 ranges
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/;index.jsp
urlhttp://192.168.229.85:9080/tvserver/server/;index.jsp
command/;index.jsp
command/;help.do
  • Detect directory listing probe attempts by matching HTTP requests containing a semicolon (;) immediately preceding a filename with a mapped extension (e.g., /*.jsp, /*.do) in the URL path.
  • Monitor HTTP requests where everything after the semicolon in the path is discarded by Tomcat, effectively turning the request into a directory listing request — flag any request path matching the pattern /;<string>.<mapped-extension>.
  • Alert on HTTP requests to Apache Tomcat 5.x (versions prior to 5.5.17) where the URL path contains a semicolon character followed by a mapped file extension such as .jsp or .do.
  • ·This vulnerability only triggers when directory listings are enabled in Tomcat. If directory listings are disabled, the semicolon trick returns a 404 and no directory contents are exposed. Detection/exploitation is conditional on this configuration.
  • ·The root cause is not strictly in Tomcat itself but is attributed to mod_jk behavior; Tomcat 5.5.17 mitigated the issue by disabling directory listings by default rather than patching the semicolon parsing.
  • ·Affected versions span Apache Tomcat 5.0.0–5.5.30 and 5.5.0–5.5.12; third-party products bundling affected Tomcat versions (e.g., Novell GroupWise Mobile Server, Nokia Intellisync Mobile Suite, ToutVirtual VirtualIQ Pro 3.2) are also vulnerable.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.