Lucene search

[email protected]NVD:CVE-2008-5515

HistoryJun 16, 2009 - 9:00 p.m.

CVE-2008-5515

2009-06-1621:00:00

CWE-22

[email protected]

web.nvd.nist.gov

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.004

Percentile

73.5%

JSON

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via … (dot dot) sequences and the WEB-INF directory in a Request.

Affected configurations

Nvd

Node

apachetomcatMatch4.1.0

apachetomcatMatch4.1.1

apachetomcatMatch4.1.2

apachetomcatMatch4.1.3

apachetomcatMatch4.1.10

apachetomcatMatch4.1.11

apachetomcatMatch4.1.12

apachetomcatMatch4.1.13

apachetomcatMatch4.1.14

apachetomcatMatch4.1.15

apachetomcatMatch4.1.16

apachetomcatMatch4.1.17

apachetomcatMatch4.1.18

apachetomcatMatch4.1.19

apachetomcatMatch4.1.20

apachetomcatMatch4.1.21

apachetomcatMatch4.1.22

apachetomcatMatch4.1.23

apachetomcatMatch4.1.24

apachetomcatMatch4.1.25

apachetomcatMatch4.1.26

apachetomcatMatch4.1.27

apachetomcatMatch4.1.28

apachetomcatMatch4.1.29

apachetomcatMatch4.1.30

apachetomcatMatch4.1.31

apachetomcatMatch4.1.32

apachetomcatMatch4.1.33

apachetomcatMatch4.1.34

apachetomcatMatch4.1.35

apachetomcatMatch4.1.36

apachetomcatMatch4.1.37

apachetomcatMatch4.1.38

apachetomcatMatch4.1.39

apachetomcatMatch5.5.0

apachetomcatMatch5.5.1

apachetomcatMatch5.5.2

apachetomcatMatch5.5.3

apachetomcatMatch5.5.4

apachetomcatMatch5.5.5

apachetomcatMatch5.5.6

apachetomcatMatch5.5.7

apachetomcatMatch5.5.8

apachetomcatMatch5.5.9

apachetomcatMatch5.5.10

apachetomcatMatch5.5.11

apachetomcatMatch5.5.12

apachetomcatMatch5.5.13

apachetomcatMatch5.5.14

apachetomcatMatch5.5.15

apachetomcatMatch5.5.16

apachetomcatMatch5.5.17

apachetomcatMatch5.5.18

apachetomcatMatch5.5.19

apachetomcatMatch5.5.20

apachetomcatMatch5.5.21

apachetomcatMatch5.5.22

apachetomcatMatch5.5.23

apachetomcatMatch5.5.24

apachetomcatMatch5.5.25

apachetomcatMatch5.5.26

apachetomcatMatch5.5.27

apachetomcatMatch6.0

apachetomcatMatch6.0.0

apachetomcatMatch6.0.1

apachetomcatMatch6.0.2

apachetomcatMatch6.0.3

apachetomcatMatch6.0.4

apachetomcatMatch6.0.5

apachetomcatMatch6.0.6

apachetomcatMatch6.0.7

apachetomcatMatch6.0.9

apachetomcatMatch6.0.10

apachetomcatMatch6.0.12

apachetomcatMatch6.0.13

apachetomcatMatch6.0.14

apachetomcatMatch6.0.15

apachetomcatMatch6.0.16

apachetomcatMatch6.0.17

apachetomcatMatch6.0.18

VendorProductVersionCPE
apachetomcat4.1.0cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*
apachetomcat4.1.1cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*
apachetomcat4.1.2cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*
apachetomcat4.1.3cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*
apachetomcat4.1.10cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*
apachetomcat4.1.11cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*
apachetomcat4.1.12cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*
apachetomcat4.1.13cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*
apachetomcat4.1.14cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*
apachetomcat4.1.15cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
apache	tomcat	4.1.0	cpe:2.3:a:apache:tomcat:4.1.0:::::::*
apache	tomcat	4.1.1	cpe:2.3:a:apache:tomcat:4.1.1:::::::*
apache	tomcat	4.1.2	cpe:2.3:a:apache:tomcat:4.1.2:::::::*
apache	tomcat	4.1.3	cpe:2.3:a:apache:tomcat:4.1.3:::::::*
apache	tomcat	4.1.10	cpe:2.3:a:apache:tomcat:4.1.10:::::::*
apache	tomcat	4.1.11	cpe:2.3:a:apache:tomcat:4.1.11:::::::*
apache	tomcat	4.1.12	cpe:2.3:a:apache:tomcat:4.1.12:::::::*
apache	tomcat	4.1.13	cpe:2.3:a:apache:tomcat:4.1.13:::::::*
apache	tomcat	4.1.14	cpe:2.3:a:apache:tomcat:4.1.14:::::::*
apache	tomcat	4.1.15	cpe:2.3:a:apache:tomcat:4.1.15:::::::*

Rows per page:

1-10 of 801

References

jvn.jp/en/jp/JVN63832775/index.html

lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html

marc.info/?l=bugtraq&m=127420533226623&w=2

marc.info/?l=bugtraq&m=129070310906557&w=2

marc.info/?l=bugtraq&m=136485229118404&w=2

secunia.com/advisories/35393

secunia.com/advisories/35685

secunia.com/advisories/35788

secunia.com/advisories/37460

secunia.com/advisories/39317

secunia.com/advisories/42368

secunia.com/advisories/44183

sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

support.apple.com/kb/HT4077

tomcat.apache.org/security-4.html

tomcat.apache.org/security-5.html

tomcat.apache.org/security-6.html

www.debian.org/security/2011/dsa-2207

www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html

www.mandriva.com/security/advisories?name=MDVSA-2009:136

www.mandriva.com/security/advisories?name=MDVSA-2009:138

www.mandriva.com/security/advisories?name=MDVSA-2010:176

www.securityfocus.com/archive/1/504170/100/0/threaded

www.securityfocus.com/archive/1/504202/100/0/threaded

www.securityfocus.com/archive/1/507985/100/0/threaded

www.securityfocus.com/bid/35263

www.vmware.com/security/advisories/VMSA-2009-0016.html

www.vupen.com/english/advisories/2009/1520

www.vupen.com/english/advisories/2009/1535

www.vupen.com/english/advisories/2009/1856

www.vupen.com/english/advisories/2009/3316

www.vupen.com/english/advisories/2010/3056

lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452

oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445

www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

4.7

Confidence

High

EPSS

0.004

Percentile

73.5%

JSON

Related for NVD:CVE-2008-5515

securityvulns5 ubuntucve1 nessus35 prion1 cvelist1 jvn1 github1 veracode1 packetstorm1 osv1 cve1 redhat8 openvas45 ubuntu1 fedora3 tomcat3 centos1 oraclelinux1 debian1 ibm1 gentoo1 vmware2 threatpost1