Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-5515

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2008-5515
Last Modified 04 Dec 2013 05:51:25
Published 16 Jun 2009 05:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2008-5515

Summary

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Vulnerable Systems

Application

  • Apache Tomcat 4.1.0

  • Apache Tomcat 4.1.1

  • Apache Tomcat 4.1.10

  • Apache Tomcat 4.1.11

  • Apache Tomcat 4.1.12

  • Apache Tomcat 4.1.13

  • Apache Tomcat 4.1.14

  • Apache Tomcat 4.1.15

  • Apache Tomcat 4.1.16

  • Apache Tomcat 4.1.17

  • Apache Tomcat 4.1.18

  • Apache Tomcat 4.1.19

  • Apache Tomcat 4.1.2

  • Apache Tomcat 4.1.20

  • Apache Tomcat 4.1.21

  • Apache Tomcat 4.1.22

  • Apache Tomcat 4.1.23

  • Apache Tomcat 4.1.24

  • Apache Tomcat 4.1.25

  • Apache Tomcat 4.1.26

  • Apache Tomcat 4.1.27

  • Apache Tomcat 4.1.28

  • Apache Tomcat 4.1.29

  • Apache Tomcat 4.1.3

  • Apache Tomcat 4.1.30

  • Apache Tomcat 4.1.31

  • Apache Tomcat 4.1.32

  • Apache Tomcat 4.1.33

  • Apache Tomcat 4.1.34

  • Apache Tomcat 4.1.35

  • Apache Tomcat 4.1.36

  • Apache Tomcat 4.1.37

  • Apache Tomcat 4.1.38

  • Apache Tomcat 4.1.39

  • Apache Tomcat 5.5.0

  • Apache Tomcat 5.5.1

  • Apache Tomcat 5.5.10

  • Apache Tomcat 5.5.11

  • Apache Tomcat 5.5.12

  • Apache Tomcat 5.5.13

  • Apache Tomcat 5.5.14

  • Apache Tomcat 5.5.15

  • Apache Tomcat 5.5.16

  • Apache Tomcat 5.5.17

  • Apache Tomcat 5.5.18

  • Apache Tomcat 5.5.19

  • Apache Tomcat 5.5.2

  • Apache Tomcat 5.5.20

  • Apache Tomcat 5.5.21

  • Apache Tomcat 5.5.22

  • Apache Tomcat 5.5.23

  • Apache Tomcat 5.5.24

  • Apache Tomcat 5.5.25

  • Apache Tomcat 5.5.26

  • Apache Tomcat 5.5.27

  • Apache Tomcat 5.5.3

  • Apache Tomcat 5.5.4

  • Apache Tomcat 5.5.5

  • Apache Tomcat 5.5.6

  • Apache Tomcat 5.5.7

  • Apache Tomcat 5.5.8

  • Apache Tomcat 5.5.9

  • Apache Tomcat 6.0

  • Apache Tomcat 6.0.0

  • Apache Tomcat 6.0.1

  • Apache Tomcat 6.0.10

  • Apache Tomcat 6.0.12

  • Apache Tomcat 6.0.13

  • Apache Tomcat 6.0.14

  • Apache Tomcat 6.0.15

  • Apache Tomcat 6.0.16

  • Apache Tomcat 6.0.17

  • Apache Tomcat 6.0.18

  • Apache Tomcat 6.0.2

  • Apache Tomcat 6.0.3

  • Apache Tomcat 6.0.4

  • Apache Tomcat 6.0.5

  • Apache Tomcat 6.0.6

  • Apache Tomcat 6.0.7

  • Apache Tomcat 6.0.9


References

VUPEN - ADV-2009-1520

BID - 35263

BUGTRAQ - 20090610 [SECURITY] UPDATED CVE-2008-5515 RequestDispatcher directory traversal vulnerability

BUGTRAQ - 20090608 [SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability

CONFIRM - http://tomcat.apache.org/security-6.html

CONFIRM - http://tomcat.apache.org/security-5.html

CONFIRM - http://tomcat.apache.org/security-4.html

JVN - JVN#63832775

FEDORA - FEDORA-2009-11356

FEDORA - FEDORA-2009-11352

FEDORA - FEDORA-2009-11374

VUPEN - ADV-2010-3056

VUPEN - ADV-2009-3316

VUPEN - ADV-2009-1856

VUPEN - ADV-2009-1535

CONFIRM - http://www.vmware.com/security/advisories/VMSA-2009-0016.html

BUGTRAQ - 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components

MANDRIVA - MDVSA-2010:176

MANDRIVA - MDVSA-2009:138

MANDRIVA - MDVSA-2009:136

CONFIRM - http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html

DEBIAN - DSA-2207

CONFIRM - http://support.apple.com/kb/HT4077

SUNALERT - 263529

SECUNIA - 44183

SECUNIA - 42368

SECUNIA - 39317

SECUNIA - 37460

SECUNIA - 35788

SECUNIA - 35685

SECUNIA - 35393

HP - HPSBUX02579

SUSE - SUSE-SR:2010:008

SUSE - SUSE-SR:2009:012

APPLE - APPLE-SA-2010-03-29-1

HP - SSRT101146

HP - HPSBUX02860

HP - SSRT100203


Last Updated: 27 May 2016 10:50:00