CVE-2008-5515 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=4.1.0 <4.1.40 || >=5.5.0 <5.5.28 || >=6.0.0 <6.0.20

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.34279 pctl0.96852

Details

Directory Traversal in Apache Tomcat Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Metadata

Created: 2022-05-14T01:17:23Z
Modified: 2024-02-21T19:56:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-9737-qmgc-hfr9/GHSA-9737-qmgc-hfr9.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-9737-qmgc-hfr9
Finding: F063
Auto approve: 1