CVE-2008-5515
Published: 16 June 2009
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
Notes
| Author | Note |
|---|---|
| mdeslaur | example PoC: http://seclists.org/bugtraq/2009/Jun/0086.html |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
tomcat5 Launchpad, Ubuntu, Debian |
dapper |
Ignored
(end of life)
|
| hardy |
Does not exist
|
|
| intrepid |
Does not exist
|
|
| jaunty |
Does not exist
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Needs triage
|
|
|
tomcat5.5 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Ignored
(end of life)
|
|
| intrepid |
Ignored
(end of life, was needed)
|
|
| jaunty |
Ignored
(end of life)
|
|
| karmic |
Does not exist
|
|
| lucid |
Does not exist
|
|
| maverick |
Does not exist
|
|
| natty |
Does not exist
|
|
| oneiric |
Does not exist
|
|
| upstream |
Released
(5.5.28)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=rev&revision=782757 |
||
|
tomcat6 Launchpad, Ubuntu, Debian |
dapper |
Does not exist
|
| hardy |
Does not exist
|
|
| intrepid |
Released
(6.0.18-0ubuntu3.2)
|
|
| jaunty |
Released
(6.0.18-0ubuntu6.1)
|
|
| karmic |
Not vulnerable
(6.0.20-1ubuntu1)
|
|
| lucid |
Not vulnerable
(6.0.20-1ubuntu1)
|
|
| maverick |
Not vulnerable
(6.0.20-1ubuntu1)
|
|
| natty |
Not vulnerable
(6.0.20-1ubuntu1)
|
|
| oneiric |
Not vulnerable
(6.0.20-1ubuntu1)
|
|
| upstream |
Released
(6.0.20)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=rev&revision=734734 |
||