CVE-2015-5345
Published: 24 February 2016
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
From the Ubuntu security team
It was discovered that the Tomcat mapper component incorrectly handled redirects. A remote attacker could use this issue to determine the existence of a directory.
Priority
Low
CVSS 3 base score: 5.3
Status
| Package | Release | Status |
|---|---|---|
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| precise |
Released
(6.0.35-1ubuntu3.7)
|
|
| trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
| upstream |
Released
(6.0.45)
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Released
(6.0.45+dfsg-1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1715216 upstream: http://svn.apache.org/viewvc?view=revision&revision=1717216 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.68-1)
|
| bionic |
Not vulnerable
(7.0.68-1)
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Released
(7.0.52-1ubuntu0.6)
|
|
| upstream |
Released
(7.0.68-1)
|
|
| wily |
Released
(7.0.64-1ubuntu0.3)
|
|
| xenial |
Not vulnerable
(7.0.68-1)
|
|
| yakkety |
Not vulnerable
(7.0.68-1)
|
|
| zesty |
Not vulnerable
(7.0.68-1)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1715213 upstream: http://svn.apache.org/viewvc?view=revision&revision=1717212 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.32-1ubuntu1)
|
| bionic |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.30-1)
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
| yakkety |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
| zesty |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1715207 upstream: http://svn.apache.org/viewvc?view=revision&revision=1717209 |
||
|
tomcat9 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Released
(9.0.16-3~18.04.1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(9.0.0.M3)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|