Lucene search

[email protected]NVD:CVE-2015-5345

HistoryFeb 25, 2016 - 1:59 a.m.

CVE-2015-5345

2016-02-2501:59:01

CWE-22

[email protected]

web.nvd.nist.gov

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

Affected configurations

NVD

Node

debiandebian_linuxMatch7.0

debiandebian_linuxMatch8.0

Node

apachetomcatMatch6.0.0

apachetomcatMatch6.0.0alpha

apachetomcatMatch6.0.1

apachetomcatMatch6.0.1alpha

apachetomcatMatch6.0.2

apachetomcatMatch6.0.2alpha

apachetomcatMatch6.0.2beta

apachetomcatMatch6.0.4

apachetomcatMatch6.0.4alpha

apachetomcatMatch6.0.10

apachetomcatMatch6.0.11

apachetomcatMatch6.0.13

apachetomcatMatch6.0.14

apachetomcatMatch6.0.16

apachetomcatMatch6.0.18

apachetomcatMatch6.0.20

apachetomcatMatch6.0.24

apachetomcatMatch6.0.26

apachetomcatMatch6.0.28

apachetomcatMatch6.0.29

apachetomcatMatch6.0.30

apachetomcatMatch6.0.32

apachetomcatMatch6.0.33

apachetomcatMatch6.0.35

apachetomcatMatch6.0.36

apachetomcatMatch6.0.37

apachetomcatMatch6.0.39

apachetomcatMatch6.0.41

apachetomcatMatch6.0.43

apachetomcatMatch6.0.44

apachetomcatMatch7.0.0beta

apachetomcatMatch7.0.2beta

apachetomcatMatch7.0.4beta

apachetomcatMatch7.0.5beta

apachetomcatMatch7.0.6

apachetomcatMatch7.0.10

apachetomcatMatch7.0.11

apachetomcatMatch7.0.12

apachetomcatMatch7.0.14

apachetomcatMatch7.0.16

apachetomcatMatch7.0.19

apachetomcatMatch7.0.20

apachetomcatMatch7.0.21

apachetomcatMatch7.0.22

apachetomcatMatch7.0.23

apachetomcatMatch7.0.25

apachetomcatMatch7.0.26

apachetomcatMatch7.0.27

apachetomcatMatch7.0.28

apachetomcatMatch7.0.29

apachetomcatMatch7.0.30

apachetomcatMatch7.0.32

apachetomcatMatch7.0.33

apachetomcatMatch7.0.34

apachetomcatMatch7.0.35

apachetomcatMatch7.0.37

apachetomcatMatch7.0.39

apachetomcatMatch7.0.40

apachetomcatMatch7.0.41

apachetomcatMatch7.0.42

apachetomcatMatch7.0.47

apachetomcatMatch7.0.50

apachetomcatMatch7.0.52

apachetomcatMatch7.0.53

apachetomcatMatch7.0.54

apachetomcatMatch7.0.55

apachetomcatMatch7.0.56

apachetomcatMatch7.0.57

apachetomcatMatch7.0.59

apachetomcatMatch7.0.61

apachetomcatMatch7.0.62

apachetomcatMatch7.0.63

apachetomcatMatch7.0.64

apachetomcatMatch7.0.65

apachetomcatMatch8.0.0rc1

apachetomcatMatch8.0.0rc10

apachetomcatMatch8.0.0rc3

apachetomcatMatch8.0.0rc5

apachetomcatMatch8.0.1

apachetomcatMatch8.0.3

apachetomcatMatch8.0.11

apachetomcatMatch8.0.12

apachetomcatMatch8.0.14

apachetomcatMatch8.0.15

apachetomcatMatch8.0.17

apachetomcatMatch8.0.18

apachetomcatMatch8.0.20

apachetomcatMatch8.0.21

apachetomcatMatch8.0.22

apachetomcatMatch8.0.23

apachetomcatMatch8.0.24

apachetomcatMatch8.0.26

apachetomcatMatch8.0.27

apachetomcatMatch8.0.28

apachetomcatMatch8.0.29

apachetomcatMatch9.0.0milestone1

Node

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch15.10

canonicalubuntu_linuxMatch16.04lts

References

lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

marc.info/?l=bugtraq&m=145974991225029&w=2

packetstormsecurity.com/files/135892/Apache-Tomcat-Directory-Disclosure.html

rhn.redhat.com/errata/RHSA-2016-1089.html

rhn.redhat.com/errata/RHSA-2016-2045.html

rhn.redhat.com/errata/RHSA-2016-2599.html

seclists.org/bugtraq/2016/Feb/146

seclists.org/fulldisclosure/2016/Feb/122

svn.apache.org/viewvc?view=revision&revision=1715206

svn.apache.org/viewvc?view=revision&revision=1715207

svn.apache.org/viewvc?view=revision&revision=1715213

svn.apache.org/viewvc?view=revision&revision=1715216

svn.apache.org/viewvc?view=revision&revision=1716882

svn.apache.org/viewvc?view=revision&revision=1716894

svn.apache.org/viewvc?view=revision&revision=1717209

svn.apache.org/viewvc?view=revision&revision=1717212

svn.apache.org/viewvc?view=revision&revision=1717216

tomcat.apache.org/security-6.html

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

tomcat.apache.org/security-9.html

www.debian.org/security/2016/dsa-3530

www.debian.org/security/2016/dsa-3552

www.debian.org/security/2016/dsa-3609

www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

www.qcsec.com/blog/CVE-2015-5345-apache-tomcat-vulnerability.html

www.securityfocus.com/bid/83328

www.securitytracker.com/id/1035071

www.ubuntu.com/usn/USN-3024-1

access.redhat.com/errata/RHSA-2016:1087

access.redhat.com/errata/RHSA-2016:1088

bto.bluecoat.com/security-advisory/sa118

bz.apache.org/bugzilla/show_bug.cgi?id=58765

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

kc.mcafee.com/corporate/index?page=content&id=SB10156

lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

security.gentoo.org/glsa/201705-09

security.netapp.com/advisory/ntap-20180531-0001/

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

6.7 Medium

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

73.9%

JSON

Related for NVD:CVE-2015-5345