Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2008-2938 — Path Traversal in Apache Tomcat

CWE-22 — Path Traversal10 documents8 sources

Severity

4.3MEDIUMNVD

CNA5.0GHSA5.0OSV5.0

EPSS

92.7%

top 0.25%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Apache Tomcat

Timeline

PublishedAug 13

Latest updateMay 1

Description

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

▶NVDapache/tomcat4.0.0 — 4.1.37+2

🔴Vulnerability Details

OSV

Apache Tomcat Directory Traversal vulnerability↗2022-05-01

▶

GHSA

Apache Tomcat Directory Traversal vulnerability↗2022-05-01

▶

CVEList

CVE-2008-2938: Directory traversal vulnerability in Apache Tomcat 4↗2008-08-13

▶

💥Exploits & PoCs

Exploit-DB

Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal↗2010-07-28

▶

Exploit-DB

Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)↗2008-08-11

▶

Metasploit

TrendMicro Data Loss Prevention 5.5 Directory Traversal↗

▶

📋Vendor Advisories

Red Hat

tomcat Unicode directory traversal vulnerability↗2008-08-11

▶

💬Community

Bugzilla

CVE-2008-2938 tomcat Unicode directory traversal vulnerability↗2008-07-21

▶