CVE-2008-5515: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
(updated )
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
References
- jvn.jp/en/jp/JVN63832775/index.html
- marc.info/?l=bugtraq&m=127420533226623&w=2
- marc.info/?l=bugtraq&m=129070310906557&w=2
- marc.info/?l=bugtraq&m=136485229118404&w=2
- support.apple.com/kb/HT4077
- tomcat.apache.org/security-4.html
- tomcat.apache.org/security-5.html
- tomcat.apache.org/security-6.html
- www.debian.org/security/2011/dsa-2207
- www.vmware.com/security/advisories/VMSA-2009-0016.html
- github.com/advisories/GHSA-9737-qmgc-hfr9
- lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
- lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
- nvd.nist.gov/vuln/detail/CVE-2008-5515
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452
- oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445
- www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
- www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
- www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
Code Behaviors & Features
Detect and mitigate CVE-2008-5515 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →