CVE - CVE-2008-2938

CVE-ID
CVE-2008-2938	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
MISC:1020665 URL:http://www.securitytracker.com/id?1020665 MISC:20080811 Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability URL:http://www.securityfocus.com/archive/1/495318/100/0/threaded MISC:20091107 ToutVirtual VirtualIQ Multiple Vulnerabilities URL:http://www.securityfocus.com/archive/1/507729/100/0/threaded MISC:30633 URL:http://www.securityfocus.com/bid/30633 MISC:31639 URL:http://secunia.com/advisories/31639 MISC:31681 URL:http://www.securityfocus.com/bid/31681 MISC:31865 URL:http://secunia.com/advisories/31865 MISC:31891 URL:http://secunia.com/advisories/31891 MISC:31982 URL:http://secunia.com/advisories/31982 MISC:32120 URL:http://secunia.com/advisories/32120 MISC:32222 URL:http://secunia.com/advisories/32222 MISC:32266 URL:http://secunia.com/advisories/32266 MISC:33797 URL:http://secunia.com/advisories/33797 MISC:37297 URL:http://secunia.com/advisories/37297 MISC:4148 URL:http://securityreason.com/securityalert/4148 MISC:6229 URL:https://www.exploit-db.com/exploits/6229 MISC:ADV-2008-2343 URL:~~http://www.vupen.com/english/advisories/2008/2343~~ (Obsolete source) MISC:ADV-2008-2780 URL:~~http://www.vupen.com/english/advisories/2008/2780~~ (Obsolete source) MISC:ADV-2008-2823 URL:~~http://www.vupen.com/english/advisories/2008/2823~~ (Obsolete source) MISC:ADV-2009-0320 URL:~~http://www.vupen.com/english/advisories/2009/0320~~ (Obsolete source) MISC:APPLE-SA-2008-10-09 URL:http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html MISC:FEDORA-2008-7977 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html MISC:FEDORA-2008-8113 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html MISC:FEDORA-2008-8130 URL:https://www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html MISC:HPSBUX02401 URL:http://marc.info/?l=bugtraq&m=123376588623823&w=2 MISC:MDVSA-2008:188 URL:~~http://www.mandriva.com/security/advisories?name=MDVSA-2008:188~~ (Obsolete source) MISC:RHSA-2008:0648 URL:http://www.redhat.com/support/errata/RHSA-2008-0648.html MISC:RHSA-2008:0862 URL:http://www.redhat.com/support/errata/RHSA-2008-0862.html MISC:RHSA-2008:0864 URL:http://www.redhat.com/support/errata/RHSA-2008-0864.html MISC:SSRT090005 URL:http://marc.info/?l=bugtraq&m=123376588623823&w=2 MISC:SUSE-SR:2008:018 URL:http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html MISC:SUSE-SR:2009:004 URL:http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html MISC:VU#343355 URL:http://www.kb.cert.org/vuls/id/343355 MISC:[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ URL:https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E MISC:[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ URL:https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E MISC:[tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/ URL:https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E MISC:http://support.apple.com/kb/HT3216 URL:http://support.apple.com/kb/HT3216 MISC:http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm URL:http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm MISC:http://tomcat.apache.org/security-4.html URL:http://tomcat.apache.org/security-4.html MISC:http://tomcat.apache.org/security-5.html URL:http://tomcat.apache.org/security-5.html MISC:http://tomcat.apache.org/security-6.html URL:http://tomcat.apache.org/security-6.html MISC:http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt URL:http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt MISC:oval:org.mitre.oval:def:10587 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10587 MISC:tomcat-allowlinking-utf8-directory-traversal(44411) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/44411
Assigning CNA
Red Hat, Inc.
Date Record Created
20080630	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20080630)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)