Fixed in Apache Tomcat 7.0.65

Low: Limited directory traversal CVE-2015-5174

This issue only affects users running untrusted web applications under a security manager.

When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form “/…” were not rejected. Note that paths starting with “/…/” were correctly rejected. This bug allowed malicious web applications running under a security manager to obtain a directory listing for the directory in which the web application had been deployed. This should not be possible when running under a security manager. Typically, the directory listing that would be exposed would be for $CATALINA_BASE/webapps.

This was fixed in revisions 1696284 and 1700898.

This issue was identified by the Tomcat security team on 12 August 2015 and made public on 22 February 2016.

Affects: 7.0.0 to 7.0.64