CVE-2008-2938
5.8 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.971 High
EPSS
Percentile
99.8%
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache:tomcat | apache tomcat | le | 6.0.16 |
| apache:tomcat | apache tomcat | le | 4.1.37 |
| apache:tomcat | apache tomcat | le | 5.5.26 |
References
lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
marc.info/?l=bugtraq&m=123376588623823&w=2
secunia.com/advisories/31639
secunia.com/advisories/31865
secunia.com/advisories/31891
secunia.com/advisories/31982
secunia.com/advisories/32120
secunia.com/advisories/32222
secunia.com/advisories/32266
secunia.com/advisories/33797
secunia.com/advisories/37297
securityreason.com/securityalert/4148
support.apple.com/kb/HT3216
support.avaya.com/elmodocs2/security/ASA-2008-401.htm
tomcat.apache.org/security-4.html
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
www.kb.cert.org/vuls/id/343355
www.mandriva.com/security/advisories?name=MDVSA-2008:188
www.redhat.com/support/errata/RHSA-2008-0648.html
www.redhat.com/support/errata/RHSA-2008-0862.html
www.redhat.com/support/errata/RHSA-2008-0864.html
www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt
www.securityfocus.com/archive/1/495318/100/0/threaded
www.securityfocus.com/archive/1/507729/100/0/threaded
www.securityfocus.com/bid/30633
www.securityfocus.com/bid/31681
www.securitytracker.com/id?1020665
www.vupen.com/english/advisories/2008/2343
www.vupen.com/english/advisories/2008/2780
www.vupen.com/english/advisories/2008/2823
www.vupen.com/english/advisories/2009/0320
exchange.xforce.ibmcloud.com/vulnerabilities/44411
lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10587
www.exploit-db.com/exploits/6229
www.redhat.com/archives/fedora-package-announce/2008-September/msg00712.html
www.redhat.com/archives/fedora-package-announce/2008-September/msg00859.html
www.redhat.com/archives/fedora-package-announce/2008-September/msg00889.html
Social References
More
Related
5.8 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.971 High
EPSS
Percentile
99.8%