cbcvebase.
CVE-2008-2938
published 2008-08-13

CVE-2008-2938: Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are…

PriorityP350medium4.3CVSS 2.0
AVNACMAuNCPINAN
EXPLOIT
EPSS
99.71%
100.0th percentile
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

Affected

3 ranges
VendorProductVersion rangeFixed in
apachetomcat4.0.0 – 4.1.37
apachetomcat5.0.0 – 5.5.26
apachetomcat6.0.0 – 6.0.16

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.target.com/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/foo/bar
commandGET /%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd HTTP/1.0
urlhttp://server:9080/tvserver/server/%C0%AE%C0%AE/WEB-INF/web.xml
bytes
%c0%ae%c0%ae (UTF-8 overlong encoding of '..')
  • Detect HTTP requests containing the UTF-8 overlong-encoded directory traversal sequence %c0%ae%c0%ae (or %C0%AE%C0%AE) in the URI path, which represents an encoded '..' used to escape the web root.
  • Alert on HTTP GET requests where the URI contains repeated occurrences of %c0%ae or %C0%AE (case-insensitive), especially targeting sensitive paths such as /etc/passwd or /WEB-INF/.
  • The vulnerability is only exploitable when both 'allowLinking' is set to true AND 'URIEncoding' is set to UTF-8 in the Tomcat connector configuration. Audit server.xml and context.xml for these settings.
  • The underlying flaw is in the JVM, not Tomcat itself. Vulnerable Java versions include Sun JRE prior to 1.4.2_19, 1.5.0_17, 6u11, and IBM Java prior to 5.0 SR9, 1.4.2 SR13, SE 6 SR4. Correlate Tomcat version with JVM version during triage.
  • In Trend Micro DLP appliance deployments, the same %c0%ae traversal pattern applies; password hashes are stored in /etc/passwd (not /etc/shadow) and are anonymously accessible if vulnerable.
  • ·The vulnerability is only triggered under a non-default configuration: both 'allowLinking' and 'URIEncoding=UTF-8' must be explicitly enabled in the Tomcat connector (server.xml or context.xml).
  • ·Hot fix (without upgrading): disable allowLinking OR do not set URIEncoding to UTF-8. Either condition alone prevents exploitation.
  • ·Affected version range per vendor advisory is Tomcat 4.1.0–4.1.37, 5.5.0–5.5.26, and 6.0.0–6.0.16; reports of 6.0.17 being affected are incorrect per the vendor.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
ghsa5.0MEDIUM
osv5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.