CVE-2008-5515

Published: 16 June 2009

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Priority

Medium

Status

Package Release Status
tomcat5
Launchpad, Ubuntu, Debian
Upstream Needs triage

tomcat5.5
Launchpad, Ubuntu, Debian
Upstream
Released (5.5.28)
Patches:
Upstream: http://svn.apache.org/viewvc?view=rev&revision=782757
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.20)
Patches:
Upstream: http://svn.apache.org/viewvc?view=rev&revision=734734

Notes

AuthorNote
mdeslaur
example PoC: http://seclists.org/bugtraq/2009/Jun/0086.html

References