2016-02-25 02:59:01 2019-04-15 18:30:12

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

Vector

NETWORK

Complexity

LOW

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE
Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.2 alpha Apache Software Foundation Tomcat 6.0.2 beta Apache Software Foundation Tomcat 6.0.4 Apache Tomcat 9.0.0 M1 (not an official CPE) Apache Tomcat 8.0.29 (not an official CPE) Apache Tomcat 8.0.28 (not an official CPE) Apache Tomcat 8.0.27 (not an official CPE) Apache Tomcat 8.0.26 (not an official CPE) Apache Tomcat 8.0.24 (not an official CPE) Apache Tomcat 8.0.23 (not an official CPE) Apache Tomcat 8.0.22 (not an official CPE) Apache Tomcat 8.0.21 (not an official CPE) Apache Tomcat 8.0.20 (not an official CPE) Apache Tomcat 8.0.18 (not an official CPE) Apache Tomcat 8.0.17 (not an official CPE) Apache Software Foundation Tomcat 8.0.15 Apache Software Foundation Tomcat 8.0.14 Apache Software Foundation Tomcat 8.0.12 Apache Software Foundation Tomcat 8.0.11 Apache Tomcat 8.0.3 (not an official CPE) Apache Software Foundation Tomcat 8.0.1 Apache Software Foundation Tomcat 8.0.0 release candidate 5 Apache Tomcat 8.0.0 Rc3 (not an official CPE) Apache Software Foundation Tomcat 8.0.0 release candidate 10 Apache Software Foundation Tomcat 8.0.0 Release Candidate 1 Apache Tomcat 7.0.65 (not an official CPE) Apache Tomcat 7.0.64 (not an official CPE) Apache Tomcat 7.0.63 (not an official CPE) Apache Tomcat 7.0.62 (not an official CPE) Apache Tomcat 7.0.61 (not an official CPE) Apache Tomcat 7.0.59 (not an official CPE) Apache Software Foundation Tomcat 7.0.57 Apache Software Foundation Tomcat 7.0.56 Apache Software Foundation Tomcat 7.0.55 Apache Software Foundation Tomcat 7.0.54 Apache Tomcat 7.0.53 (not an official CPE) Apache Tomcat 7.0.52 (not an official CPE) Apache Software Foundation Tomcat 7.0.50 Apache Software Foundation Tomcat 7.0.47 Apache Software Foundation Tomcat 7.0.42 Apache Software Foundation Tomcat 7.0.41 Apache Software Foundation Tomcat 7.0.40 Apache Software Foundation Tomcat 7.0.39 Apache Software Foundation Tomcat 7.0.37 Apache Software Foundation Tomcat 7.0.35 Apache Software Foundation Tomcat 7.0.34 Apache Software Foundation Tomcat 7.0.33 Apache Software Foundation Tomcat 7.0.32 Apache Software Foundation Tomcat 7.0.30 Apache Software Foundation Tomcat 7.0.29 Apache Software Foundation Tomcat 7.0.28 Apache Software Foundation Tomcat 7.0.27 Apache Software Foundation Tomcat 7.0.26 Apache Software Foundation Tomcat 7.0.25 Apache Software Foundation Tomcat 7.0.23 Apache Software Foundation Tomcat 7.0.22 Apache Software Foundation Tomcat 7.0.21 Apache Software Foundation Tomcat 7.0.20 Apache Software Foundation Tomcat 7.0.19 Apache Software Foundation Tomcat 7.0.16 Apache Software Foundation Tomcat 7.0.14 Apache Software Foundation Tomcat 7.0.12 Apache Software Foundation Tomcat 7.0.10 Apache Tomcat 6.0.44 (not an official CPE) Apache Software Foundation Tomcat 7.0.11 Apache Software Foundation Tomcat 7.0.6 Apache Software Foundation Tomcat 7.0.4 beta Apache Tomcat 7.0.5 Beta (not an official CPE) Apache Software Foundation Tomcat 7.0.2 beta Apache Software Foundation Tomcat 7.0.0 beta Apache Software Foundation Tomcat 6.0.41 Apache Software Foundation Tomcat 6.0.43 Apache Tomcat 6.0.39 (not an official CPE) Apache Software Foundation Tomcat 6.0.37 Apache Software Foundation Tomcat 6.0.36 Apache Software Foundation Tomcat 6.0.35 Apache Software Foundation Tomcat 6.0.30 Apache Software Foundation Tomcat 6.0.33 Apache Software Foundation Tomcat 6.0.32 Apache Software Foundation Tomcat 6.0.29 Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.20 Apache Software Foundation Tomcat 6.0.24 Apache Software Foundation Tomcat 6.0.26 Apache Software Foundation Tomcat 6.0.28 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.4 alpha Apache Software Foundation Tomcat 6.0.1 alpha Apache Software Foundation Tomcat 6.0.0 alpha Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0.0
Advisory Patch Confirmed Link
[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in ...
[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in ...
[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in ...
[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in ...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
RHSA-2016:1087
https://kc.mcafee.com/corporate/index?page=content&id=SB...
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/d...
83328
1035071
RHSA-2016:1088
https://bto.bluecoat.com/security-advisory/sa118
USN-3024-1
http://www.qcsec.com/blog/CVE-2015-5345-apache-tomcat-vu...
http://www.oracle.com/technetwork/topics/security/linuxb...
http://www.oracle.com/technetwork/topics/security/bullet...
http://www.oracle.com/technetwork/security-advisory/cpuj...
DSA-3530
DSA-3552
DSA-3609
http://tomcat.apache.org/security-9.html
http://svn.apache.org/viewvc?view=revision&revision=1717...
http://svn.apache.org/viewvc?view=revision&revision=1715...
http://svn.apache.org/viewvc?view=revision&revision=1716...
http://svn.apache.org/viewvc?view=revision&revision=1716...
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://svn.apache.org/viewvc?view=revision&revision=1717...
http://svn.apache.org/viewvc?view=revision&revision=1717...
http://svn.apache.org/viewvc?view=revision&revision=1715...
http://svn.apache.org/viewvc?view=revision&revision=1715...
20160225 [CVE-2015-5345] Information disclosure vulnerab...
http://svn.apache.org/viewvc?view=revision&revision=1715...
RHSA-2016:2599
20160222 [SECURITY] CVE-2015-5345 Apache Tomcat Director...
http://tomcat.apache.org/security-8.html
RHSA-2016:2045
HPSBUX03561
http://packetstormsecurity.com/files/135892/Apache-Tomca...
openSUSE-SU-2016:0865
SUSE-SU-2016:0839
RHSA-2016:1089
SUSE-SU-2016:0822
SUSE-SU-2016:0769
GLSA-201705-09
https://security.netapp.com/advisory/ntap-20180531-0001/