CVE-2008-5515

Loading...

General

Score:5.0/10.0
Severity:Medium
Category:Path Manipulation
Exploit:Available

Impact Metrics

Confidentiality:Partial
Integrity:None
Availability:None

Exploitability Metrics

Access Vector:Network
Access Complexity:Low
Authentication:None

Relative vulnerabilities

CVE-2003-0063, CVE-2006-1329, CVE-2007-1858, CVE-2007-2052, CVE-2007-3385, CVE-2007-4965, CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-5966, CVE-2007-6286, CVE-2008-0002, CVE-2008-0564, CVE-2008-0888, CVE-2008-1232, CVE-2008-1678, CVE-2008-1721, CVE-2008-1887, CVE-2008-1947, CVE-2008-2315, CVE-2008-2370, CVE-2008-2712, CVE-2008-3142, CVE-2008-3143, CVE-2008-3144, CVE-2008-3528, CVE-2008-4101, CVE-2008-4307, CVE-2008-4456, CVE-2008-4864, CVE-2008-5031, CVE-2008-5302, CVE-2008-5303, CVE-2008-5700, CVE-2008-7247, CVE-2009-0028, CVE-2009-0033, CVE-2009-0037, CVE-2009-0159, CVE-2009-0269, CVE-2009-0316, CVE-2009-0322, CVE-2009-0580, CVE-2009-0675, CVE-2009-0676, CVE-2009-0688, CVE-2009-0689, CVE-2009-0696, CVE-2009-0745, CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, CVE-2009-0778, CVE-2009-0781, CVE-2009-0783, CVE-2009-0787, CVE-2009-0834, CVE-2009-1072, CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, CVE-2009-1107, CVE-2009-1192, CVE-2009-1252, CVE-2009-1336, CVE-2009-1337, CVE-2009-1385, CVE-2009-1388, CVE-2009-1389, CVE-2009-1439, CVE-2009-1630, CVE-2009-1633, CVE-2009-1895, CVE-2009-1904, CVE-2009-2042, CVE-2009-2406, CVE-2009-2407, CVE-2009-2414, CVE-2009-2416, CVE-2009-2417, CVE-2009-2422, CVE-2009-2446, CVE-2009-2625, CVE-2009-2632, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2692, CVE-2009-2693, CVE-2009-2698, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724, CVE-2009-2730, CVE-2009-2801, CVE-2009-2847, CVE-2009-2848, CVE-2009-2901, CVE-2009-2902, CVE-2009-2906, CVE-2009-3009, CVE-2009-3095, CVE-2009-3229, CVE-2009-3230, CVE-2009-3548, CVE-2009-3555, CVE-2009-3557, CVE-2009-3558, CVE-2009-3559, CVE-2009-4017, CVE-2009-4019, CVE-2009-4030, CVE-2009-4034, CVE-2009-4136, CVE-2009-4142, CVE-2009-4143, CVE-2009-4214, CVE-2010-0041, CVE-2010-0042, CVE-2010-0043, CVE-2010-0055, CVE-2010-0056, CVE-2010-0057, CVE-2010-0058, CVE-2010-0059, CVE-2010-0060, CVE-2010-0062, CVE-2010-0063, CVE-2010-0064, CVE-2010-0065, CVE-2010-0393, CVE-2010-0497, CVE-2010-0498, CVE-2010-0500, CVE-2010-0501, CVE-2010-0502, CVE-2010-0503, CVE-2010-0504, CVE-2010-0505, CVE-2010-0506, CVE-2010-0507, CVE-2010-0508, CVE-2010-0509, CVE-2010-0510, CVE-2010-0511, CVE-2010-0512, CVE-2010-0513, CVE-2010-0514, CVE-2010-0515, CVE-2010-0516, CVE-2010-0517, CVE-2010-0518, CVE-2010-0519, CVE-2010-0520, CVE-2010-0521, CVE-2010-0522, CVE-2010-0523, CVE-2010-0524, CVE-2010-0525, CVE-2010-0526, CVE-2010-0533, CVE-2010-0534, CVE-2010-0535, CVE-2010-0537, CVE-2010-1157, CVE-2010-1169, CVE-2010-1170, CVE-2010-1975, CVE-2010-2227, CVE-2010-3433, CVE-2010-3718, CVE-2010-4015, CVE-2010-4172, CVE-2011-0013, CVE-2011-0286, CVE-2011-1184, CVE-2011-2204, CVE-2011-2729

Published on 16/06/09 - Updated on 25/03/19

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Category: Path Manipulation

CWE-22 (Path Traversal)
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Security Notices

US National Vulnerability DatabaseCVE-2008-5515
Agence Nationale de la Sécurité des Systèmes d'Information CERTA-2009-AVI-211, CERTA-2009-AVI-513, CERTA-2010-AVI-143, CERTA-2010-AVI-220, CERTA-2011-AVI-221
CentOS CESA-2009:1164
Debian DSA-2207-1
Redhat RHSA-2009:1164
Renater 2009/VULN470, 2010/VULN102, 2010/VULN104, 2010/VULN170, 2011/VULN335, 2012/VULN031

Exploits

SecurityFocusBID-35263

Relative technologies

VendorProduct
apachetomcat

Share this vulnerability with:

Twitter Facebook LinkedIn Mail