Vulnerability Description
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Tomcat | 4.1.0 |
Related Weaknesses (CWE)
References
- http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html
- http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
- http://marc.info/?l=bugtraq&m=123376588623823&w=2
- http://marc.info/?l=bugtraq&m=139344343412337&w=2
- http://secunia.com/advisories/31379
- http://secunia.com/advisories/31381
- http://secunia.com/advisories/31639
- http://secunia.com/advisories/31865
- http://secunia.com/advisories/31891
- http://secunia.com/advisories/31982
- http://secunia.com/advisories/32120
- http://secunia.com/advisories/32222
- http://secunia.com/advisories/32266
- http://secunia.com/advisories/33797
FAQ
What is CVE-2008-2370?
CVE-2008-2370 is a vulnerability with a CVSS score of 5.0 (MEDIUM). Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which a...
How severe is CVE-2008-2370?
CVE-2008-2370 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2008-2370?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat.