Home > Vulnerability Database > CVE-2008-5515

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2008-5515

Date: June 16, 2009

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Severity Score

5.3

Related Resources (55)

Url: http://secunia.com/advisories/35788

Url: https://github.com/apache/tomcat/commit/6b61911f94d6d8d49ee933c5f1882a7e7c336d2c

Url: https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:19452

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2010:176

Url: https://github.com/apache/tomcat

Url: https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html

Url: http://secunia.com/advisories/35393

Url: https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

Url: https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html

Url: https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

Url: http://www.vupen.com/english/advisories/2009/1520

Url: http://www.vmware.com/security/advisories/VMSA-2009-0016.html

Url: http://www.securityfocus.com/archive/1/504202/100/0/threaded

Url: https://access.redhat.com/security/cve/CVE-2008-5515

Url: http://jvn.jp/en/jp/JVN63832775/index.html

Url: https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html

Url: http://www.securityfocus.com/archive/1/504170/100/0/threaded

Url: https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E

Url: http://www.debian.org/security/2011/dsa-2207

Url: https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2009:138

Url: https://nvd.nist.gov/vuln/detail/CVE-2008-5515

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2009:136

Url: http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1

Url: http://www.vupen.com/english/advisories/2009/3316

Url: https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E

Url: http://marc.info/?l=bugtraq&m=129070310906557&w=2

Url: http://tomcat.apache.org/security-5.html

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452

Url: http://secunia.com/advisories/35685

Url: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445

Url: http://tomcat.apache.org/security-4.html

Url: https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E

Url: http://marc.info/?l=bugtraq&m=127420533226623&w=2

Url: https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:10422

Url: https://oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:6445

Url: http://www.vupen.com/english/advisories/2010/3056

Url: http://support.apple.com/kb/HT4077

Url: http://www.securityfocus.com/bid/35263

Url: http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html

Url: http://www.securityfocus.com/archive/1/507985/100/0/threaded

Url: http://secunia.com/advisories/39317

Url: http://marc.info/?l=bugtraq&m=136485229118404&w=2

Url: http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

Url: http://secunia.com/advisories/44183

Url: http://secunia.com/advisories/37460

Url: http://tomcat.apache.org/security-6.html

Url: http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html

Url: https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422

Url: http://www.vupen.com/english/advisories/2009/1535

Url: http://www.vupen.com/english/advisories/2009/1856

Url: http://secunia.com/advisories/42368

Url: https://www.mend.io/vulnerability-database/CVE-2008-5515

Severity Score

5.3

Weakness Type (CWE)

Path Traversal

CWE-22

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Do you need more information?

Contact Us