cbcvebase.
CVE-2008-5515
published 2009-06-16

CVE-2008-5515: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering…

PriorityP339medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
18.68%
96.9th percentile
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Affected

85 ranges· showing 25
VendorProductVersion rangeFixed in
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat
apachetomcat

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://host/page.jsp?blah=/../WEB-INF/web.xml
path/../WEB-INF/web.xml
  • Look for HTTP requests where query string parameters contain '../' or '..\' sequences combined with 'WEB-INF' path components, targeting RequestDispatcher-handled endpoints (e.g., JSP pages).
  • Detect directory traversal attempts via query string parameters (not the path itself) — the bypass occurs because Tomcat normalizes the target path before stripping the query string, so traversal sequences appear in parameter values.
  • Flag requests where any query parameter value contains '/../WEB-INF/' as this is the canonical exploit pattern for CVE-2008-5515.
  • ·The vulnerability is specific to use of the RequestDispatcher obtained from the Request object; applications not using RequestDispatcher are not affected by this code path.
  • ·Affected versions span a wide range: Tomcat 4.1.0–4.1.39, 5.5.0–5.5.27, 6.0.0–6.0.18; unsupported 3.x, 4.0.x, and 5.0.x branches may also be vulnerable.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.