Lucene search

[email protected]CVE-2008-5515

HistoryJun 16, 2009 - 9:00 p.m.

CVE-2008-5515

2009-06-1621:00:00

CWE-22

[email protected]

web.nvd.nist.gov

apache tomcat

cve-2008-5515

directory traversal

security vulnerability

nvd

requestdispatcher method

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

4.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.5%

JSON

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via … (dot dot) sequences and the WEB-INF directory in a Request.

Affected configurations

NVD

Node

apachetomcatMatch4.1.0

apachetomcatMatch4.1.1

apachetomcatMatch4.1.2

apachetomcatMatch4.1.3

apachetomcatMatch4.1.10

apachetomcatMatch4.1.11

apachetomcatMatch4.1.12

apachetomcatMatch4.1.13

apachetomcatMatch4.1.14

apachetomcatMatch4.1.15

apachetomcatMatch4.1.16

apachetomcatMatch4.1.17

apachetomcatMatch4.1.18

apachetomcatMatch4.1.19

apachetomcatMatch4.1.20

apachetomcatMatch4.1.21

apachetomcatMatch4.1.22

apachetomcatMatch4.1.23

apachetomcatMatch4.1.24

apachetomcatMatch4.1.25

apachetomcatMatch4.1.26

apachetomcatMatch4.1.27

apachetomcatMatch4.1.28

apachetomcatMatch4.1.29

apachetomcatMatch4.1.30

apachetomcatMatch4.1.31

apachetomcatMatch4.1.32

apachetomcatMatch4.1.33

apachetomcatMatch4.1.34

apachetomcatMatch4.1.35

apachetomcatMatch4.1.36

apachetomcatMatch4.1.37

apachetomcatMatch4.1.38

apachetomcatMatch4.1.39

apachetomcatMatch5.5.0

apachetomcatMatch5.5.1

apachetomcatMatch5.5.2

apachetomcatMatch5.5.3

apachetomcatMatch5.5.4

apachetomcatMatch5.5.5

apachetomcatMatch5.5.6

apachetomcatMatch5.5.7

apachetomcatMatch5.5.8

apachetomcatMatch5.5.9

apachetomcatMatch5.5.10

apachetomcatMatch5.5.11

apachetomcatMatch5.5.12

apachetomcatMatch5.5.13

apachetomcatMatch5.5.14

apachetomcatMatch5.5.15

apachetomcatMatch5.5.16

apachetomcatMatch5.5.17

apachetomcatMatch5.5.18

apachetomcatMatch5.5.19

apachetomcatMatch5.5.20

apachetomcatMatch5.5.21

apachetomcatMatch5.5.22

apachetomcatMatch5.5.23

apachetomcatMatch5.5.24

apachetomcatMatch5.5.25

apachetomcatMatch5.5.26

apachetomcatMatch5.5.27

apachetomcatMatch6.0

apachetomcatMatch6.0.0

apachetomcatMatch6.0.1

apachetomcatMatch6.0.2

apachetomcatMatch6.0.3

apachetomcatMatch6.0.4

apachetomcatMatch6.0.5

apachetomcatMatch6.0.6

apachetomcatMatch6.0.7

apachetomcatMatch6.0.9

apachetomcatMatch6.0.10

apachetomcatMatch6.0.12

apachetomcatMatch6.0.13

apachetomcatMatch6.0.14

apachetomcatMatch6.0.15

apachetomcatMatch6.0.16

apachetomcatMatch6.0.17

apachetomcatMatch6.0.18

CPENameOperatorVersion
apache:tomcatapache tomcateq4.1.0
apache:tomcatapache tomcateq4.1.1
apache:tomcatapache tomcateq4.1.2
apache:tomcatapache tomcateq4.1.3
apache:tomcatapache tomcateq4.1.10
apache:tomcatapache tomcateq4.1.11
apache:tomcatapache tomcateq4.1.12
apache:tomcatapache tomcateq4.1.13
apache:tomcatapache tomcateq4.1.14
apache:tomcatapache tomcateq4.1.15

CPE	Name	Operator	Version
apache:tomcat	apache tomcat	eq	4.1.0
apache:tomcat	apache tomcat	eq	4.1.1
apache:tomcat	apache tomcat	eq	4.1.2
apache:tomcat	apache tomcat	eq	4.1.3
apache:tomcat	apache tomcat	eq	4.1.10
apache:tomcat	apache tomcat	eq	4.1.11
apache:tomcat	apache tomcat	eq	4.1.12
apache:tomcat	apache tomcat	eq	4.1.13
apache:tomcat	apache tomcat	eq	4.1.14
apache:tomcat	apache tomcat	eq	4.1.15

Rows per page:

1-10 of 801

References

jvn.jp/en/jp/JVN63832775/index.html

lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html

marc.info/?l=bugtraq&m=127420533226623&w=2

marc.info/?l=bugtraq&m=129070310906557&w=2

marc.info/?l=bugtraq&m=136485229118404&w=2

secunia.com/advisories/35393

secunia.com/advisories/35685

secunia.com/advisories/35788

secunia.com/advisories/37460

secunia.com/advisories/39317

secunia.com/advisories/42368

secunia.com/advisories/44183

sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

support.apple.com/kb/HT4077

tomcat.apache.org/security-4.html

tomcat.apache.org/security-5.html

tomcat.apache.org/security-6.html

www.debian.org/security/2011/dsa-2207

www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html

www.mandriva.com/security/advisories?name=MDVSA-2009:136

www.mandriva.com/security/advisories?name=MDVSA-2009:138

www.mandriva.com/security/advisories?name=MDVSA-2010:176

www.securityfocus.com/archive/1/504170/100/0/threaded

www.securityfocus.com/archive/1/504202/100/0/threaded

www.securityfocus.com/archive/1/507985/100/0/threaded

www.securityfocus.com/bid/35263

www.vmware.com/security/advisories/VMSA-2009-0016.html

www.vupen.com/english/advisories/2009/1520

www.vupen.com/english/advisories/2009/1535

www.vupen.com/english/advisories/2009/1856

www.vupen.com/english/advisories/2009/3316

www.vupen.com/english/advisories/2010/3056

lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445

www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

4.8 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.5%

JSON

Related for CVE-2008-5515

securityvulns5 packetstorm1 veracode1 nvd1 jvn1 ubuntucve1 cvelist1 prion1 nessus35 osv1 github1 redhat8 openvas45 fedora3 tomcat3 ubuntu1 centos1 oraclelinux1 debian1 ibm1 gentoo1 vmware2 threatpost1