CVE-2008-2370

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in maven/org.apache.tomcat/tomcat

Identifiers

GHSA-m8h8-6rvg-f4mg, CVE-2008-2370

Package Slug

maven/org.apache.tomcat/tomcat

Vulnerability

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Description

Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

Affected Versions

All versions starting from 4.1.0 up to 4.1.37, all versions starting from 5.5.0 up to 5.5.26, all versions starting from 6.0.0 up to 6.0.16

Solution

Upgrade to versions 4.1.38, 5.5.27, 6.0.18 or above.

Last Modified

2024-02-12

source