CVE-2008-5515

Impact:
Important
Public Date:
2009-06-08
Bugzilla:
504753: CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability

The MITRE CVE dictionary describes this issue as:

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Find out more about CVE-2008-5515 from the MITRE CVE dictionary dictionary and NIST NVD.

Red Hat Security Errata

Platform Errata Release Date
Red Hat Satellite 5.2 (RHEL v.4 AS) (tomcat5) RHSA-2009:1616 2009-11-30
Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 2010-08-04
Red Hat Satellite 5.1 (RHEL v.4 AS) (tomcat5) RHSA-2009:1617 2009-11-30
Red Hat Satellite 5.3 (RHEL v.4) (tomcat5) RHSA-2009:1616 2009-11-30
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jbossas) RHSA-2009:1146 2009-07-06
Red Hat JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS (jbossas) RHSA-2009:1144 2009-07-06
Red Hat JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jbossas) RHSA-2009:1145 2009-07-06
Red Hat JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server (jbossas) RHSA-2009:1143 2009-07-06
Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2009:1563 2009-11-09
Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2009:1164 2009-07-21
Red Hat JBoss Web Server 1.0 for RHEL 4 AS (tomcat5) RHSA-2009:1454 2009-09-21
Red Hat JBoss Web Server 1.0 for RHEL 4 AS (tomcat6) RHSA-2009:1506 2009-10-14
Red Hat Application Server v2 4AS (tomcat5) RHSA-2009:1562 2009-11-09
Red Hat JBoss Web Server 1.0 for RHEL 5 Server (tomcat5) RHSA-2009:1454 2009-09-21
Red Hat JBoss Web Server 1.0 for RHEL 5 Server (tomcat6) RHSA-2009:1506 2009-10-14