Lucene search

[email protected]NVD:CVE-2015-5174

HistoryFeb 25, 2016 - 1:59 a.m.

CVE-2015-5174

2016-02-2501:59:00

CWE-22

[email protected]

web.nvd.nist.gov

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

EPSS

0.002

Percentile

61.9%

JSON

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /… (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Affected configurations

Nvd

Node

debiandebian_linuxMatch7.0

debiandebian_linuxMatch8.0

Node

apachetomcatMatch6.0.0

apachetomcatMatch6.0.0alpha

apachetomcatMatch6.0.1

apachetomcatMatch6.0.1alpha

apachetomcatMatch6.0.2

apachetomcatMatch6.0.2alpha

apachetomcatMatch6.0.2beta

apachetomcatMatch6.0.4

apachetomcatMatch6.0.4alpha

apachetomcatMatch6.0.10

apachetomcatMatch6.0.11

apachetomcatMatch6.0.13

apachetomcatMatch6.0.14

apachetomcatMatch6.0.16

apachetomcatMatch6.0.18

apachetomcatMatch6.0.20

apachetomcatMatch6.0.24

apachetomcatMatch6.0.26

apachetomcatMatch6.0.28

apachetomcatMatch6.0.29

apachetomcatMatch6.0.30

apachetomcatMatch6.0.32

apachetomcatMatch6.0.33

apachetomcatMatch6.0.35

apachetomcatMatch6.0.36

apachetomcatMatch6.0.37

apachetomcatMatch6.0.39

apachetomcatMatch6.0.41

apachetomcatMatch6.0.43

apachetomcatMatch6.0.44

apachetomcatMatch7.0.0beta

apachetomcatMatch7.0.2beta

apachetomcatMatch7.0.4beta

apachetomcatMatch7.0.5beta

apachetomcatMatch7.0.6

apachetomcatMatch7.0.10

apachetomcatMatch7.0.11

apachetomcatMatch7.0.12

apachetomcatMatch7.0.14

apachetomcatMatch7.0.16

apachetomcatMatch7.0.19

apachetomcatMatch7.0.20

apachetomcatMatch7.0.21

apachetomcatMatch7.0.22

apachetomcatMatch7.0.23

apachetomcatMatch7.0.25

apachetomcatMatch7.0.26

apachetomcatMatch7.0.27

apachetomcatMatch7.0.28

apachetomcatMatch7.0.29

apachetomcatMatch7.0.30

apachetomcatMatch7.0.32

apachetomcatMatch7.0.33

apachetomcatMatch7.0.34

apachetomcatMatch7.0.35

apachetomcatMatch7.0.37

apachetomcatMatch7.0.39

apachetomcatMatch7.0.40

apachetomcatMatch7.0.41

apachetomcatMatch7.0.42

apachetomcatMatch7.0.47

apachetomcatMatch7.0.50

apachetomcatMatch7.0.52

apachetomcatMatch7.0.53

apachetomcatMatch7.0.54

apachetomcatMatch7.0.55

apachetomcatMatch7.0.56

apachetomcatMatch7.0.57

apachetomcatMatch7.0.59

apachetomcatMatch7.0.61

apachetomcatMatch7.0.62

apachetomcatMatch7.0.63

apachetomcatMatch7.0.64

apachetomcatMatch8.0.0rc1

apachetomcatMatch8.0.0rc10

apachetomcatMatch8.0.0rc3

apachetomcatMatch8.0.0rc5

apachetomcatMatch8.0.1

apachetomcatMatch8.0.11

apachetomcatMatch8.0.12

apachetomcatMatch8.0.14

apachetomcatMatch8.0.15

apachetomcatMatch8.0.17

apachetomcatMatch8.0.18

apachetomcatMatch8.0.20

apachetomcatMatch8.0.21

apachetomcatMatch8.0.22

apachetomcatMatch8.0.23

apachetomcatMatch8.0.24

apachetomcatMatch8.0.26

Node

canonicalubuntu_linuxMatch12.04lts

canonicalubuntu_linuxMatch14.04lts

canonicalubuntu_linuxMatch15.10

canonicalubuntu_linuxMatch16.04lts

VendorProductVersionCPE
debiandebian_linux7.0cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*
debiandebian_linux8.0cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
apachetomcat6.0.0cpe:2.3:a:apache:tomcat:6.0.0:*:*:*:*:*:*:*
apachetomcat6.0.0cpe:2.3:a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*
apachetomcat6.0.1cpe:2.3:a:apache:tomcat:6.0.1:*:*:*:*:*:*:*
apachetomcat6.0.1cpe:2.3:a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*
apachetomcat6.0.2cpe:2.3:a:apache:tomcat:6.0.2:*:*:*:*:*:*:*
apachetomcat6.0.2cpe:2.3:a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*
apachetomcat6.0.2cpe:2.3:a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*
apachetomcat6.0.4cpe:2.3:a:apache:tomcat:6.0.4:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
debian	debian_linux	7.0	cpe:2.3:o:debian:debian_linux:7.0:::::::*
debian	debian_linux	8.0	cpe:2.3:o:debian:debian_linux:8.0:::::::*
apache	tomcat	6.0.0	cpe:2.3:a:apache:tomcat:6.0.0:::::::*
apache	tomcat	6.0.0	cpe:2.3:a:apache:tomcat:6.0.0:alpha::::::
apache	tomcat	6.0.1	cpe:2.3:a:apache:tomcat:6.0.1:::::::*
apache	tomcat	6.0.1	cpe:2.3:a:apache:tomcat:6.0.1:alpha::::::
apache	tomcat	6.0.2	cpe:2.3:a:apache:tomcat:6.0.2:::::::*
apache	tomcat	6.0.2	cpe:2.3:a:apache:tomcat:6.0.2:alpha::::::
apache	tomcat	6.0.2	cpe:2.3:a:apache:tomcat:6.0.2:beta::::::
apache	tomcat	6.0.4	cpe:2.3:a:apache:tomcat:6.0.4:::::::*

Rows per page:

1-10 of 961

References

lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html

lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

marc.info/?l=bugtraq&m=145974991225029&w=2

packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html

rhn.redhat.com/errata/RHSA-2016-1435.html

rhn.redhat.com/errata/RHSA-2016-2045.html

rhn.redhat.com/errata/RHSA-2016-2599.html

seclists.org/bugtraq/2016/Feb/149

svn.apache.org/viewvc?view=revision&revision=1696281

svn.apache.org/viewvc?view=revision&revision=1696284

svn.apache.org/viewvc?view=revision&revision=1700897

svn.apache.org/viewvc?view=revision&revision=1700898

svn.apache.org/viewvc?view=revision&revision=1700900

tomcat.apache.org/security-6.html

tomcat.apache.org/security-7.html

tomcat.apache.org/security-8.html

www.debian.org/security/2016/dsa-3530

www.debian.org/security/2016/dsa-3552

www.debian.org/security/2016/dsa-3609

www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

www.securityfocus.com/bid/83329

www.securitytracker.com/id/1035070

www.ubuntu.com/usn/USN-3024-1

access.redhat.com/errata/RHSA-2016:1432

access.redhat.com/errata/RHSA-2016:1433

access.redhat.com/errata/RHSA-2016:1434

bto.bluecoat.com/security-advisory/sa118

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E

lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E

security.gentoo.org/glsa/201705-09

security.netapp.com/advisory/ntap-20180531-0001/

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

AI Score

Confidence

Low

EPSS

0.002

Percentile

61.9%

JSON

Related for NVD:CVE-2015-5174

ibm24 cve1 nessus29 openvas23 ubuntucve1 f52 osv5 github1 cvelist1 prion1 tomcat3 debiancve1 veracode1 redhat8 amazon3 suse4 debian4 oraclelinux3 centos2 symantec1 atlassian3 mageia1 ubuntu1 cloudfoundry1 gentoo1 oracle1