Lucene search

PRIOn knowledge basePRION:CVE-2008-2938

HistoryAug 13, 2008 - 12:41 a.m.

Directory traversal

2008-08-1300:41:00

PRIOn knowledge base

www.prio-n.com

6.5 Medium

AI Score

Confidence

Low

0.971 High

EPSS

Percentile

99.8%

JSON

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

CPENameOperatorVersion
tomcatge6.0.0
tomcatle6.0.16
tomcatge4.0.0
tomcatle4.1.37
tomcatge5.0.0
tomcatle5.5.26

Name	Operator	Version
tomcat	ge	6.0.0
tomcat	le	6.0.16
tomcat	ge	4.0.0
tomcat	le	4.1.37
tomcat	ge	5.0.0
tomcat	le	5.5.26

References

lists.apple.com/archives/security-announce/2008/Oct/msg00001.html

lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html

lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html

secunia.com/advisories/31639

secunia.com/advisories/31865

secunia.com/advisories/31891

secunia.com/advisories/31982

secunia.com/advisories/32120

secunia.com/advisories/32222

secunia.com/advisories/32266

secunia.com/advisories/33797

secunia.com/advisories/37297

securityreason.com/securityalert/4148

support.apple.com/kb/HT3216

support.avaya.com/elmodocs2/security/ASA-2008-401.htm

tomcat.apache.org/security-4.html

tomcat.apache.org/security-5.html

tomcat.apache.org/security-6.html

www.kb.cert.org/vuls/id/343355

www.mandriva.com/security/advisories?name=MDVSA-2008:188

www.redhat.com/support/errata/RHSA-2008-0648.html

www.redhat.com/support/errata/RHSA-2008-0862.html

www.redhat.com/support/errata/RHSA-2008-0864.html

www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt

www.securityfocus.com/archive/1/495318/100/0/threaded

www.securityfocus.com/archive/1/507729/100/0/threaded

www.securityfocus.com/bid/30633

www.securityfocus.com/bid/31681

www.securitytracker.com/id?1020665

www.vupen.com/english/advisories/2008/2343

www.vupen.com/english/advisories/2008/2780

www.vupen.com/english/advisories/2008/2823

www.vupen.com/english/advisories/2009/0320

exchange.xforce.ibmcloud.com/vulnerabilities/44411

lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

marc.info/?l=bugtraq&m=123376588623823&w=2

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10587

www.exploit-db.com/exploits/6229

www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html

www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html

www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html