CVE-2008-5515
published 2009-06-16CVE-2008-5515: Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering…
PriorityP339medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
18.68%
96.9th percentile
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
| apache | tomcat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for HTTP requests where query string parameters contain '../' or '..\' sequences combined with 'WEB-INF' path components, targeting RequestDispatcher-handled endpoints (e.g., JSP pages). ↗
- →Detect directory traversal attempts via query string parameters (not the path itself) — the bypass occurs because Tomcat normalizes the target path before stripping the query string, so traversal sequences appear in parameter values. ↗
- →Flag requests where any query parameter value contains '/../WEB-INF/' as this is the canonical exploit pattern for CVE-2008-5515. ↗
- ·The vulnerability is specific to use of the RequestDispatcher obtained from the Request object; applications not using RequestDispatcher are not affected by this code path. ↗
- ·Affected versions span a wide range: Tomcat 4.1.0–4.1.39, 5.5.0–5.5.27, 6.0.0–6.0.18; unsupported 3.x, 4.0.x, and 5.0.x branches may also be vulnerable. ↗
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vendor_redhat5.0MEDIUM
vendor_ubuntu5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Directory Traversal in Apache Tomcat
osv·2022-05-14
CVE-2008-5515 [MEDIUM] Directory Traversal in Apache Tomcat
Directory Traversal in Apache Tomcat
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
GHSA
Directory Traversal in Apache Tomcat
ghsa·2022-05-14
CVE-2008-5515 [MEDIUM] CWE-22 Directory Traversal in Apache Tomcat
Directory Traversal in Apache Tomcat
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
VMware
VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
vendor_vmware·2009-11-20·CVSS 5.0
CVE-2007-2052 [MEDIUM] VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
VMSA-2009-0016: VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.
a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-
Ubuntu
Tomcat vulnerabilities
vendor_ubuntu·2009-06-15·CVSS 5.0
CVE-2009-0580 [MEDIUM] Tomcat vulnerabilities
Title: Tomcat vulnerabilities
Summary: Tomcat vulnerabilities
Iida Minehiko discovered that Tomcat did not properly normalise paths. A
remote attacker could send specially crafted requests to the server and
bypass security restrictions, gaining access to sensitive content.
(CVE-2008-5515)
Yoshihito Fukuyama discovered that Tomcat did not properly handle errors
when the Java AJP connector and mod_jk load balancing are used. A remote
attacker could send specially crafted requests containing invalid headers
to the server and cause a temporary denial of service. (CVE-2009-0033)
D. Matscheko and T. Hackner discovered that Tomcat did not properly handle
malformed URL encoding of passwords when FORM authentication is used. A
remote attacker could exploit this in order to enumerate valid usern
Red Hat
tomcat request dispatcher information disclosure vulnerability
vendor_redhat·2009-06-08·CVSS 5.0
CVE-2008-5515 [MEDIUM] tomcat request dispatcher information disclosure vulnerability
tomcat request dispatcher information disclosure vulnerability
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
bugzilla·2009-11-09·CVSS 5.0
CVE-2009-0033 [MEDIUM] CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 CVE-2008-5515 CVE-2009-0781 Multiple tomcat5 vulnerabilities [Fedora all]
This is an automatically created tracking bug! It was created to ensure that one or more security vulnerabilities are fixed in all affected branches.
You should *not* refer to this bug publicly, as it is a private "Fedora Project Contributors" bug.
For comments that are specific to the vulnerability please use bugs filed against "Security Response" product referenced in "Blocks" field.
bug #493381: CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
bug #503978: CVE-2009-0580 tomcat6 Information disclosure in authentication classes
bug #504153: CVE-2009-0783 tomcat XML parser information disclosure
bug #504753: CVE-2008-5515 tomcat request dispatcher information d
Bugzilla
CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability
bugzilla·2009-06-09·CVSS 5.0
CVE-2008-5515 [MEDIUM] CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability
CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability
http://marc.info/?l=tomcat-dev&m=124449799021570&w=2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2008-5515: Apache Tomcat information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected
Description:
When using a RequestDispatcher obtained from the Request, the target
path was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF
http://jvn.jp/en/jp/JVN63832775/index.htmlhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.htmlhttp://marc.info/?l=bugtraq&m=127420533226623&w=2http://marc.info/?l=bugtraq&m=129070310906557&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://secunia.com/advisories/35393http://secunia.com/advisories/35685http://secunia.com/advisories/35788http://secunia.com/advisories/37460http://secunia.com/advisories/39317http://secunia.com/advisories/42368http://secunia.com/advisories/44183http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1http://support.apple.com/kb/HT4077http://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2011/dsa-2207http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2009:136http://www.mandriva.com/security/advisories?name=MDVSA-2009:138http://www.mandriva.com/security/advisories?name=MDVSA-2010:176http://www.securityfocus.com/archive/1/504170/100/0/threadedhttp://www.securityfocus.com/archive/1/504202/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/35263http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/1520http://www.vupen.com/english/advisories/2009/1535http://www.vupen.com/english/advisories/2009/1856http://www.vupen.com/english/advisories/2009/3316http://www.vupen.com/english/advisories/2010/3056https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.htmlhttp://jvn.jp/en/jp/JVN63832775/index.htmlhttp://lists.apple.com/archives/security-announce/2010//Mar/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.htmlhttp://marc.info/?l=bugtraq&m=127420533226623&w=2http://marc.info/?l=bugtraq&m=129070310906557&w=2http://marc.info/?l=bugtraq&m=136485229118404&w=2http://secunia.com/advisories/35393http://secunia.com/advisories/35685http://secunia.com/advisories/35788http://secunia.com/advisories/37460http://secunia.com/advisories/39317http://secunia.com/advisories/42368http://secunia.com/advisories/44183http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1http://support.apple.com/kb/HT4077http://tomcat.apache.org/security-4.htmlhttp://tomcat.apache.org/security-5.htmlhttp://tomcat.apache.org/security-6.htmlhttp://www.debian.org/security/2011/dsa-2207http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.htmlhttp://www.mandriva.com/security/advisories?name=MDVSA-2009:136http://www.mandriva.com/security/advisories?name=MDVSA-2009:138http://www.mandriva.com/security/advisories?name=MDVSA-2010:176http://www.securityfocus.com/archive/1/504170/100/0/threadedhttp://www.securityfocus.com/archive/1/504202/100/0/threadedhttp://www.securityfocus.com/archive/1/507985/100/0/threadedhttp://www.securityfocus.com/bid/35263http://www.vmware.com/security/advisories/VMSA-2009-0016.htmlhttp://www.vupen.com/english/advisories/2009/1520http://www.vupen.com/english/advisories/2009/1535http://www.vupen.com/english/advisories/2009/1856http://www.vupen.com/english/advisories/2009/3316http://www.vupen.com/english/advisories/2010/3056https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
2009-06-16
Published