CVE-2008-5515Path Traversal in Apache Tomcat

CWE-22Path Traversal8 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
72.9%
top 1.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedJun 16
Latest updateMay 14

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

CVSS vector

AV:N/AC:L/C:P/I:N/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat80 versions+79

Patches

Patch: jvn.jpPatch: tomcat.apache.orgPatch: tomcat.apache.org

🔴Vulnerability Details

3
OSV
Directory Traversal in Apache Tomcat2022-05-14
GHSA
Directory Traversal in Apache Tomcat2022-05-14
CVEList
CVE-2008-5515: Apache Tomcat 42009-06-16

📋Vendor Advisories

2
Ubuntu
Tomcat vulnerabilities2009-06-15
Red Hat
tomcat request dispatcher information disclosure vulnerability2009-06-08

💬Community

2
Bugzilla
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]2009-11-09
Bugzilla
CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability2009-06-09
CVE-2008-5515 — Path Traversal in Apache Tomcat | cvebase