CVE-2008-5515

NameCVE-2008-5515
DescriptionApache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
SourceCVE (at NVD; oss-sec, fulldisc, OSVDB, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, more)
ReferencesDSA-2207-1
NVD severitymedium (attack range: remote)
Debian Bugs532362, 532363, 532366
Debian/oldstablenot vulnerable.
Debian/stablenot vulnerable.
Debian/testingnot vulnerable.
Debian/unstablenot vulnerable.

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)squeeze (security), squeeze6.0.35-1+squeeze4fixed
squeeze (lts)6.0.41-2+squeeze6fixed
wheezy, wheezy (security)6.0.35-6+deb7u1fixed
jessie, sid6.0.41-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat5source(unstable)(unfixed)medium532363
tomcat5.5source(unstable)(unfixed)medium532366
tomcat5.5sourcelenny5.5.26-5lenny2mediumDSA-2207-1
tomcat6source(unstable)6.0.20-1medium532362
tomcat6sourcelenny(not affected)

Notes

[lenny] - tomcat6 <not-affected> (Only ships the servlet package)

Search for package or bug name: Reporting problems