CVE-2015-5174

NameCVE-2015-5174
DescriptionDirectory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-435-1, DSA-3530-1, DSA-3552-1, DSA-3609-1
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1fixed
wheezy (security)6.0.45+dfsg-1~deb7u5fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u4fixed
wheezy (security)7.0.28-4+deb7u17fixed
jessie (security), jessie7.0.56-3+deb8u11fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed
tomcat8 (PTS)jessie (security), jessie8.0.14-1+deb8u11fixed
stretch (security), stretch8.5.14-1+deb9u2fixed
buster8.5.24-1fixed
sid8.5.24-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.41-3medium
tomcat6sourcesqueeze6.0.45-1~deb6u1mediumDLA-435-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1mediumDSA-3530-1
tomcat7source(unstable)7.0.68-1medium
tomcat7sourcejessie7.0.56-3+deb8u2mediumDSA-3552-1
tomcat7sourcewheezy7.0.28-4+deb7u4mediumDSA-3552-1
tomcat8source(unstable)8.0.28-1medium
tomcat8sourcejessie8.0.14-1+deb8u2mediumDSA-3609-1

Notes

Since 6.0.41-3, src:tomcat6 only builds a servlet and docs
Fixed in 6.0.45, 7.0.65, 8.0.27

Search for package or bug name: Reporting problems