CVE-2002-2009 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=4.0.0 <=4.0.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.03215 pctl0.86544

Details

Apache Tomcat Leaks Pathname Information via Error Message Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message.

Metadata

Created: 2022-04-30T18:22:19Z
Modified: 2025-04-03T16:15:46Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-r6cf-cr44-m8rr/GHSA-r6cf-cr44-m8rr.json
CWE IDs: ["CWE-209"]
Alternative ID: GHSA-r6cf-cr44-m8rr
Finding: F037
Auto approve: 1