cbcvebase.
CVE-2008-2370
published 2008-08-04

CVE-2008-2370: Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before…

PriorityP348medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
52.72%
98.8th percentile
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

Affected

95 ranges· showing 25
VendorProductVersion rangeFixed in
apacheode<= 1.3.2
apacheode
apacheode
apacheode
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/page.jsp?blah=/../WEB-INF/web.xml
path/../WEB-INF/web.xml
  • CVE-2008-2370 exploits Apache Tomcat's RequestDispatcher by injecting a path traversal sequence (/../) in a request parameter. The server normalizes the path before stripping the query string, allowing access to protected resources such as WEB-INF/web.xml.
  • Monitor HTTP request parameters for directory traversal patterns (e.g., /../) targeting WEB-INF or other protected paths, particularly in query string values passed to RequestDispatcher-enabled JSP pages.
  • Affected versions are Tomcat 4.1.0–4.1.37, 5.5.0–5.5.26, and 6.0.0–6.0.16. Detection rules should flag these version ranges in server banners or configuration.
  • ·CVE-2008-2370 (RequestDispatcher information disclosure) is a distinct vulnerability from CVE-2008-2938 (UTF-8/allowLinking directory traversal). Detection rules should not conflate the two.
  • ·The exploit requires a page that uses RequestDispatcher internally; the traversal payload is delivered via a query string parameter, not directly in the URI path.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.