Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-2938

Overview

Vulnerability Score 4.3 4.3
CVE Id CVE-2008-2938
Last Modified 07 Mar 2011 10:09:58
Published 12 Aug 2008 08:41:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-2938

Summary

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

Vulnerable Systems

Application

  • Apache Software Foundation Tomcat 6.0.16

  • Apache Tomcat 6.0.0

  • Apache Tomcat 6.0.1

  • Apache Tomcat 6.0.10

  • Apache Tomcat 6.0.11

  • Apache Tomcat 6.0.12

  • Apache Tomcat 6.0.13

  • Apache Tomcat 6.0.14

  • Apache Tomcat 6.0.15

  • Apache Tomcat 6.0.2

  • Apache Tomcat 6.0.3

  • Apache Tomcat 6.0.4

  • Apache Tomcat 6.0.5

  • Apache Tomcat 6.0.6

  • Apache Tomcat 6.0.7

  • Apache Tomcat 6.0.8

  • Apache Tomcat 6.0.9


References

CERT-VN - VU#343355

CONFIRM - http://tomcat.apache.org/security-6.html

FEDORA - FEDORA-2008-8130

FEDORA - FEDORA-2008-8113

FEDORA - FEDORA-2008-7977

XF - tomcat-allowlinking-utf8-directory-traversal(44411)

VUPEN - ADV-2009-0320

VUPEN - ADV-2008-2823

VUPEN - ADV-2008-2780

VUPEN - ADV-2008-2343

SECTRACK - 1020665

BID - 31681

BID - 30633

BUGTRAQ - 20091107 ToutVirtual VirtualIQ Multiple Vulnerabilities

BUGTRAQ - 20080811 Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability

MISC - http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt

REDHAT - RHSA-2008:0864

REDHAT - RHSA-2008:0862

REDHAT - RHSA-2008:0648

MILW0RM - 6229

MANDRIVA - MDVSA-2008:188

CONFIRM - http://tomcat.apache.org/security-5.html

CONFIRM - http://tomcat.apache.org/security-4.html

CONFIRM - http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm

CONFIRM - http://support.apple.com/kb/HT3216

SREASON - 4148

SECUNIA - 37297

SECUNIA - 33797

SECUNIA - 32266

SECUNIA - 32222

SECUNIA - 32120

SECUNIA - 31982

SECUNIA - 31891

SECUNIA - 31865

SECUNIA - 31639

HP - HPSBUX02401

SUSE - SUSE-SR:2009:004

SUSE - SUSE-SR:2008:018

APPLE - APPLE-SA-2008-10-09

HP - SSRT090005

Related Patches

Apple 2008-10-09 Security Update 2008-007 Server (Leopard)


Last Updated: 27 May 2016 10:49:54