CVE - CVE-2008-2370

CVE-ID
CVE-2008-2370	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20080801 [CVE-2008-2370] Apache Tomcat information disclosure vulnerability URL:http://www.securityfocus.com/archive/1/495022/100/0/threaded BUGTRAQ:20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components URL:http://www.securityfocus.com/archive/1/507985/100/0/threaded CONFIRM:http://tomcat.apache.org/security-4.html CONFIRM:http://tomcat.apache.org/security-5.html CONFIRM:http://tomcat.apache.org/security-6.html CONFIRM:http://support.apple.com/kb/HT3216 CONFIRM:http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm CONFIRM:http://www.vmware.com/security/advisories/VMSA-2009-0002.html CONFIRM:http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html CONFIRM:http://www.vmware.com/security/advisories/VMSA-2009-0016.html APPLE:APPLE-SA-2008-10-09 URL:http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html FEDORA:FEDORA-2008-8113 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html FEDORA:FEDORA-2008-8130 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html FEDORA:FEDORA-2008-7977 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html HP:HPSBUX02401 URL:http://marc.info/?l=bugtraq&m=123376588623823&w=2 HP:SSRT090005 URL:http://marc.info/?l=bugtraq&m=123376588623823&w=2 HP:HPSBST02955 URL:http://marc.info/?l=bugtraq&m=139344343412337&w=2 MANDRIVA:MDVSA-2008:188 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2008:188 REDHAT:RHSA-2008:0648 URL:http://www.redhat.com/support/errata/RHSA-2008-0648.html REDHAT:RHSA-2008:0862 URL:http://www.redhat.com/support/errata/RHSA-2008-0862.html REDHAT:RHSA-2008:0864 URL:http://www.redhat.com/support/errata/RHSA-2008-0864.html SUSE:SUSE-SR:2008:018 URL:http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html SUSE:SUSE-SR:2009:004 URL:http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html BID:30494 URL:http://www.securityfocus.com/bid/30494 BID:31681 URL:http://www.securityfocus.com/bid/31681 OVAL:oval:org.mitre.oval:def:5876 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5876 OVAL:oval:org.mitre.oval:def:10577 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10577 SECUNIA:33999 URL:http://secunia.com/advisories/33999 SECUNIA:34013 URL:http://secunia.com/advisories/34013 SECUNIA:35393 URL:http://secunia.com/advisories/35393 SECUNIA:36249 URL:http://secunia.com/advisories/36249 SECUNIA:37460 URL:http://secunia.com/advisories/37460 SECUNIA:57126 URL:http://secunia.com/advisories/57126 VUPEN:ADV-2008-2305 URL:http://www.vupen.com/english/advisories/2008/2305 VUPEN:ADV-2008-2823 URL:http://www.vupen.com/english/advisories/2008/2823 VUPEN:ADV-2008-2780 URL:http://www.vupen.com/english/advisories/2008/2780 VUPEN:ADV-2009-0320 URL:http://www.vupen.com/english/advisories/2009/0320 SECTRACK:1020623 URL:http://www.securitytracker.com/id?1020623 SECUNIA:31379 URL:http://secunia.com/advisories/31379 SECUNIA:31381 URL:http://secunia.com/advisories/31381 SECUNIA:31639 URL:http://secunia.com/advisories/31639 SECUNIA:31891 URL:http://secunia.com/advisories/31891 SECUNIA:31865 URL:http://secunia.com/advisories/31865 SECUNIA:32222 URL:http://secunia.com/advisories/32222 SECUNIA:31982 URL:http://secunia.com/advisories/31982 SECUNIA:33797 URL:http://secunia.com/advisories/33797 SECUNIA:32120 URL:http://secunia.com/advisories/32120 SECUNIA:32266 URL:http://secunia.com/advisories/32266 SREASON:4099 URL:http://securityreason.com/securityalert/4099 VUPEN:ADV-2009-0503 URL:http://www.vupen.com/english/advisories/2009/0503 VUPEN:ADV-2009-1535 URL:http://www.vupen.com/english/advisories/2009/1535 VUPEN:ADV-2009-2215 URL:http://www.vupen.com/english/advisories/2009/2215 VUPEN:ADV-2009-3316 URL:http://www.vupen.com/english/advisories/2009/3316 XF:tomcat-requestdispatcher-info-disclosure(44156) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/44156
Assigning CNA
N/A
Date Entry Created
20080521	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20080521)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org