CVE - CVE-2008-2938

CVE-ID
CVE-2008-2938	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
BUGTRAQ:20080811 Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability URL:http://www.securityfocus.com/archive/1/495318/100/0/threaded BUGTRAQ:20091107 ToutVirtual VirtualIQ Multiple Vulnerabilities URL:http://www.securityfocus.com/archive/1/507729/100/0/threaded EXPLOIT-DB:6229 URL:https://www.exploit-db.com/exploits/6229 MISC:http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt CONFIRM:http://tomcat.apache.org/security-6.html CONFIRM:http://tomcat.apache.org/security-4.html CONFIRM:http://tomcat.apache.org/security-5.html CONFIRM:http://support.apple.com/kb/HT3216 CONFIRM:http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm APPLE:APPLE-SA-2008-10-09 URL:http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html FEDORA:FEDORA-2008-8113 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html FEDORA:FEDORA-2008-8130 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html FEDORA:FEDORA-2008-7977 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html HP:HPSBUX02401 URL:http://marc.info/?l=bugtraq&m=123376588623823&w=2 HP:SSRT090005 URL:http://marc.info/?l=bugtraq&m=123376588623823&w=2 MANDRIVA:MDVSA-2008:188 URL:http://www.mandriva.com/security/advisories?name=MDVSA-2008:188 REDHAT:RHSA-2008:0648 URL:http://www.redhat.com/support/errata/RHSA-2008-0648.html REDHAT:RHSA-2008:0862 URL:http://www.redhat.com/support/errata/RHSA-2008-0862.html REDHAT:RHSA-2008:0864 URL:http://www.redhat.com/support/errata/RHSA-2008-0864.html SUSE:SUSE-SR:2008:018 URL:http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html SUSE:SUSE-SR:2009:004 URL:http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html CERT-VN:VU#343355 URL:http://www.kb.cert.org/vuls/id/343355 BID:30633 URL:http://www.securityfocus.com/bid/30633 BID:31681 URL:http://www.securityfocus.com/bid/31681 OVAL:oval:org.mitre.oval:def:10587 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10587 SECUNIA:37297 URL:http://secunia.com/advisories/37297 VUPEN:ADV-2008-2343 URL:http://www.vupen.com/english/advisories/2008/2343 VUPEN:ADV-2008-2823 URL:http://www.vupen.com/english/advisories/2008/2823 VUPEN:ADV-2008-2780 URL:http://www.vupen.com/english/advisories/2008/2780 VUPEN:ADV-2009-0320 URL:http://www.vupen.com/english/advisories/2009/0320 SECTRACK:1020665 URL:http://www.securitytracker.com/id?1020665 SECUNIA:31639 URL:http://secunia.com/advisories/31639 SECUNIA:31891 URL:http://secunia.com/advisories/31891 SECUNIA:31865 URL:http://secunia.com/advisories/31865 SECUNIA:32222 URL:http://secunia.com/advisories/32222 SECUNIA:31982 URL:http://secunia.com/advisories/31982 SECUNIA:33797 URL:http://secunia.com/advisories/33797 SECUNIA:32120 URL:http://secunia.com/advisories/32120 SECUNIA:32266 URL:http://secunia.com/advisories/32266 SREASON:4148 URL:http://securityreason.com/securityalert/4148 XF:tomcat-allowlinking-utf8-directory-traversal(44411) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/44411
Assigning CNA
N/A
Date Entry Created
20080630	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20080630)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: cve@mitre.org

Use of the Common Vulnerabilities and Exposures (CVE®) List and the associated references from this website are subject to the terms of use. CVE is sponsored by US-CERT in the office of Cybersecurity and Communications at the U.S. Department of Homeland Security. Copyright © 1999–2018, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation. For more information, please contact us.