GHSA-m8h8-6rvg-f4mg, CVE-2008-2370
maven/org.apache.tomcat/tomcat
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.
All versions starting from 4.1.0 up to 4.1.37, all versions starting from 5.5.0 up to 5.5.26, all versions starting from 6.0.0 up to 6.0.16
Upgrade to versions 4.1.38, 5.5.27, 6.0.18 or above.
2024-02-12
source |