2008-08-04 03:41:00 2019-03-25 12:30:15

Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE
Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0.0 Apache Software Foundation Tomcat 5.5.26 Apache Software Foundation Tomcat 5.5.25 Apache Software Foundation Tomcat 5.5.24 Apache Software Foundation Tomcat 5.5.23 Apache Software Foundation Tomcat 5.5.22 Apache Software Foundation Tomcat 5.5.21 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.19 Apache Software Foundation Tomcat 5.5.18 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5.0 Apache Tomcat 4.1.37 (not an official CPE) Apache Software Foundation Tomcat 4.1.36 Apache Tomcat 4.1.34 (not an official CPE) Apache Tomcat 4.1.35 (not an official CPE) Apache Tomcat 4.1.33 (not an official CPE) Apache Tomcat 4.1.32 (not an official CPE) Apache Software Foundation Tomcat 4.1.31 Apache Tomcat 4.1.30 (not an official CPE) Apache Software Foundation Tomcat 4.1.29 Apache Software Foundation Tomcat 4.1.28 Apache Tomcat 4.1.27 (not an official CPE) Apache Tomcat 4.1.26 (not an official CPE) Apache Tomcat 4.1.25 (not an official CPE) Apache Software Foundation Tomcat 4.1.24 Apache Tomcat 4.1.23 (not an official CPE) Apache Tomcat 4.1.22 (not an official CPE) Apache Tomcat 4.1.21 (not an official CPE) Apache Tomcat 4.1.20 (not an official CPE) Apache Tomcat 4.1.19 (not an official CPE) Apache Tomcat 4.1.18 (not an official CPE) Apache Tomcat 4.1.17 (not an official CPE) Apache Tomcat 4.1.16 (not an official CPE) Apache Tomcat 4.1.14 (not an official CPE) Apache Software Foundation Tomcat 4.1.15 Apache Tomcat 4.1.13 (not an official CPE) Apache Software Foundation Tomcat 4.1.12 Apache Tomcat 4.1.11 (not an official CPE) Apache Software Foundation Tomcat 4.1.10 Apache Tomcat 4.1.9 (not an official CPE) Apache Tomcat 4.1.8 (not an official CPE) Apache Tomcat 4.1.7 (not an official CPE) Apache Tomcat 4.1.6 (not an official CPE) Apache Tomcat 4.1.5 (not an official CPE) Apache Tomcat 4.1.4 (not an official CPE) Apache Software Foundation Tomcat 4.1.3 Apache Software Foundation Tomcat 4.1.2 Apache Software Foundation Tomcat 4.1.1 Apache Software Foundation Tomcat 4.1.0 Apache Software Foundation Tomcat 6.0.15 Apache Software Foundation Tomcat 6.0.16