// For flags

CVE-2008-5515

tomcat request dispatcher information disclosure vulnerability

Severity Score

7.5
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Apache Tomcat desde v4.1.0 hasta v4.1.39, desde v5.5.0 hasta v5.5.27, desde v6.0.0 hasta v6.0.18, y posiblemente versiones anteriores que normalizan la ruta del directorio objetivo antes de filtrar la cadena de petición cuando se utiliza el método RequestDispatcher, lo que permitiría atacantes remotos evitar las restricciones de acceso previstas y que llevaría a un salto de directorio a través de secuencias ..(punto punto) y el directorio WEB-INF en una petición.

Iida Minehiko discovered that Tomcat did not properly normalise paths. A remote attacker could send specially crafted requests to the server and bypass security restrictions, gaining access to sensitive content. Yoshihito Fukuyama discovered that Tomcat did not properly handle errors when the Java AJP connector and mod_jk load balancing are used. A remote attacker could send specially crafted requests containing invalid headers to the server and cause a temporary denial of service. D. Matscheko and T. Hackner discovered that Tomcat did not properly handle malformed URL encoding of passwords when FORM authentication is used. A remote attacker could exploit this in order to enumerate valid usernames. Deniz Cevik discovered that Tomcat did not properly escape certain parameters in the example calendar application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. Philippe Prados discovered that Tomcat allowed web applications to replace the XML parser used by other web applications. Local users could exploit this to bypass security restrictions and gain access to certain sensitive files.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2008-12-12 CVE Reserved
  • 2009-06-09 CVE Published
  • 2009-06-09 First Exploit
  • 2024-08-07 CVE Updated
  • 2025-06-23 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CAPEC
References (50)
URL Tag Source
http://secunia.com/advisories/35393 Third Party Advisory
http://secunia.com/advisories/35685 Third Party Advisory
http://secunia.com/advisories/35788 Third Party Advisory
http://secunia.com/advisories/37460 Third Party Advisory
http://secunia.com/advisories/39317 Third Party Advisory
http://secunia.com/advisories/42368 Third Party Advisory
http://secunia.com/advisories/44183 Third Party Advisory
http://support.apple.com/kb/HT4077 X_refsource_confirm
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html X_refsource_confirm
http://www.securityfocus.com/archive/1/504170/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/504202/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/507985/100/0/threaded Mailing List
http://www.vmware.com/security/advisories/VMSA-2009-0016.html X_refsource_confirm
http://www.vupen.com/english/advisories/2009/1535 Vdb Entry
http://www.vupen.com/english/advisories/2009/1856 Vdb Entry
http://www.vupen.com/english/advisories/2009/3316 Vdb Entry
http://www.vupen.com/english/advisories/2010/3056 Vdb Entry
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E Mailing List
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E Mailing List
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452 Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445 Signature
URL Date SRC
https://packetstorm.news/files/id/78169 2009-06-09
URL Date SRC
http://jvn.jp/en/jp/JVN63832775/index.html 2023-02-13
http://tomcat.apache.org/security-4.html 2023-02-13
http://tomcat.apache.org/security-5.html 2023-02-13
http://tomcat.apache.org/security-6.html 2023-02-13
http://www.securityfocus.com/bid/35263 2023-02-13
http://www.vupen.com/english/advisories/2009/1520 2023-02-13
URL Date SRC
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html 2023-02-13
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html 2023-02-13
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html 2023-02-13
http://marc.info/?l=bugtraq&m=127420533226623&w=2 2023-02-13
http://marc.info/?l=bugtraq&m=129070310906557&w=2 2023-02-13
http://marc.info/?l=bugtraq&m=136485229118404&w=2 2023-02-13
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 2023-02-13
http://www.debian.org/security/2011/dsa-2207 2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 2023-02-13
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html 2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html 2023-02-13
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html 2023-02-13
https://access.redhat.com/security/cve/CVE-2008-5515 2010-08-04
https://bugzilla.redhat.com/show_bug.cgi?id=504753 2010-08-04
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.0
Search vendor "Apache" for product "Tomcat" and version "4.1.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.1
Search vendor "Apache" for product "Tomcat" and version "4.1.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.2
Search vendor "Apache" for product "Tomcat" and version "4.1.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.3
Search vendor "Apache" for product "Tomcat" and version "4.1.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.10
Search vendor "Apache" for product "Tomcat" and version "4.1.10"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.11
Search vendor "Apache" for product "Tomcat" and version "4.1.11"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.12
Search vendor "Apache" for product "Tomcat" and version "4.1.12"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.13
Search vendor "Apache" for product "Tomcat" and version "4.1.13"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.14
Search vendor "Apache" for product "Tomcat" and version "4.1.14"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.15
Search vendor "Apache" for product "Tomcat" and version "4.1.15"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.16
Search vendor "Apache" for product "Tomcat" and version "4.1.16"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.17
Search vendor "Apache" for product "Tomcat" and version "4.1.17"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.18
Search vendor "Apache" for product "Tomcat" and version "4.1.18"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.19
Search vendor "Apache" for product "Tomcat" and version "4.1.19"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.20
Search vendor "Apache" for product "Tomcat" and version "4.1.20"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.21
Search vendor "Apache" for product "Tomcat" and version "4.1.21"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.22
Search vendor "Apache" for product "Tomcat" and version "4.1.22"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.23
Search vendor "Apache" for product "Tomcat" and version "4.1.23"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.24
Search vendor "Apache" for product "Tomcat" and version "4.1.24"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.25
Search vendor "Apache" for product "Tomcat" and version "4.1.25"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.26
Search vendor "Apache" for product "Tomcat" and version "4.1.26"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.27
Search vendor "Apache" for product "Tomcat" and version "4.1.27"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.28
Search vendor "Apache" for product "Tomcat" and version "4.1.28"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.29
Search vendor "Apache" for product "Tomcat" and version "4.1.29"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.30
Search vendor "Apache" for product "Tomcat" and version "4.1.30"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.31
Search vendor "Apache" for product "Tomcat" and version "4.1.31"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.32
Search vendor "Apache" for product "Tomcat" and version "4.1.32"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.33
Search vendor "Apache" for product "Tomcat" and version "4.1.33"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.34
Search vendor "Apache" for product "Tomcat" and version "4.1.34"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.35
Search vendor "Apache" for product "Tomcat" and version "4.1.35"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.36
Search vendor "Apache" for product "Tomcat" and version "4.1.36"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.37
Search vendor "Apache" for product "Tomcat" and version "4.1.37"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.38
Search vendor "Apache" for product "Tomcat" and version "4.1.38"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 4.1.39
Search vendor "Apache" for product "Tomcat" and version "4.1.39"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.0
Search vendor "Apache" for product "Tomcat" and version "5.5.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.1
Search vendor "Apache" for product "Tomcat" and version "5.5.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.2
Search vendor "Apache" for product "Tomcat" and version "5.5.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.3
Search vendor "Apache" for product "Tomcat" and version "5.5.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.4
Search vendor "Apache" for product "Tomcat" and version "5.5.4"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.5
Search vendor "Apache" for product "Tomcat" and version "5.5.5"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.6
Search vendor "Apache" for product "Tomcat" and version "5.5.6"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.7
Search vendor "Apache" for product "Tomcat" and version "5.5.7"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.8
Search vendor "Apache" for product "Tomcat" and version "5.5.8"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.9
Search vendor "Apache" for product "Tomcat" and version "5.5.9"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.10
Search vendor "Apache" for product "Tomcat" and version "5.5.10"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.11
Search vendor "Apache" for product "Tomcat" and version "5.5.11"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.12
Search vendor "Apache" for product "Tomcat" and version "5.5.12"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.13
Search vendor "Apache" for product "Tomcat" and version "5.5.13"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.14
Search vendor "Apache" for product "Tomcat" and version "5.5.14"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.15
Search vendor "Apache" for product "Tomcat" and version "5.5.15"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.16
Search vendor "Apache" for product "Tomcat" and version "5.5.16"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.17
Search vendor "Apache" for product "Tomcat" and version "5.5.17"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.18
Search vendor "Apache" for product "Tomcat" and version "5.5.18"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.19
Search vendor "Apache" for product "Tomcat" and version "5.5.19"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.20
Search vendor "Apache" for product "Tomcat" and version "5.5.20"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.21
Search vendor "Apache" for product "Tomcat" and version "5.5.21"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.22
Search vendor "Apache" for product "Tomcat" and version "5.5.22"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.23
Search vendor "Apache" for product "Tomcat" and version "5.5.23"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.24
Search vendor "Apache" for product "Tomcat" and version "5.5.24"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.25
Search vendor "Apache" for product "Tomcat" and version "5.5.25"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.26
Search vendor "Apache" for product "Tomcat" and version "5.5.26"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 5.5.27
Search vendor "Apache" for product "Tomcat" and version "5.5.27"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0
Search vendor "Apache" for product "Tomcat" and version "6.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.0
Search vendor "Apache" for product "Tomcat" and version "6.0.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.1
Search vendor "Apache" for product "Tomcat" and version "6.0.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.2
Search vendor "Apache" for product "Tomcat" and version "6.0.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.3
Search vendor "Apache" for product "Tomcat" and version "6.0.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.4
Search vendor "Apache" for product "Tomcat" and version "6.0.4"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.5
Search vendor "Apache" for product "Tomcat" and version "6.0.5"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.6
Search vendor "Apache" for product "Tomcat" and version "6.0.6"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.7
Search vendor "Apache" for product "Tomcat" and version "6.0.7"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.9
Search vendor "Apache" for product "Tomcat" and version "6.0.9"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.10
Search vendor "Apache" for product "Tomcat" and version "6.0.10"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.12
Search vendor "Apache" for product "Tomcat" and version "6.0.12"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.13
Search vendor "Apache" for product "Tomcat" and version "6.0.13"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.14
Search vendor "Apache" for product "Tomcat" and version "6.0.14"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.15
Search vendor "Apache" for product "Tomcat" and version "6.0.15"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.16
Search vendor "Apache" for product "Tomcat" and version "6.0.16"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.17
Search vendor "Apache" for product "Tomcat" and version "6.0.17"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.18
Search vendor "Apache" for product "Tomcat" and version "6.0.18"
-
Affected