Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
References
Link Providers
http://jvn.jp/en/jp/JVN63832775/index.html cve-icon cve-icon
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=127420533226623&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=129070310906557&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=136485229118404&w=2 cve-icon cve-icon
http://secunia.com/advisories/35393 cve-icon cve-icon
http://secunia.com/advisories/35685 cve-icon cve-icon
http://secunia.com/advisories/35788 cve-icon cve-icon
http://secunia.com/advisories/37460 cve-icon cve-icon
http://secunia.com/advisories/39317 cve-icon cve-icon
http://secunia.com/advisories/42368 cve-icon cve-icon
http://secunia.com/advisories/44183 cve-icon cve-icon
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 cve-icon cve-icon
http://support.apple.com/kb/HT4077 cve-icon cve-icon
http://tomcat.apache.org/security-4.html cve-icon cve-icon
http://tomcat.apache.org/security-5.html cve-icon cve-icon
http://tomcat.apache.org/security-6.html cve-icon cve-icon
http://www.debian.org/security/2011/dsa-2207 cve-icon cve-icon
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 cve-icon cve-icon
http://www.securityfocus.com/archive/1/504170/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/archive/1/504202/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/archive/1/507985/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/35263 cve-icon cve-icon
http://www.vmware.com/security/advisories/VMSA-2009-0016.html cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1520 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1535 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/1856 cve-icon cve-icon
http://www.vupen.com/english/advisories/2009/3316 cve-icon cve-icon
http://www.vupen.com/english/advisories/2010/3056 cve-icon cve-icon
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2008-5515 cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452 cve-icon cve-icon
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445 cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2008-5515 cve-icon
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html cve-icon cve-icon
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html cve-icon cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2009-06-16T20:26:00

Updated: 2024-08-07T10:56:46.803Z

Reserved: 2008-12-12T00:00:00

Link: CVE-2008-5515

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2009-06-16T21:00:00.313

Modified: 2024-11-21T00:54:14.080

Link: CVE-2008-5515

cve-icon Redhat

Severity : Important

Publid Date: 2009-06-08T00:00:00Z

Links: CVE-2008-5515 - Bugzilla