CVE 2008-2370
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.
Related bugs and status
CVE-2008-2370 (Candidate) is related to these bugs:
Bug #112626: unable to install tomcat 5.5 on update ubuntu 7.04
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
112626 | unable to install tomcat 5.5 on update ubuntu 7.04 | tomcat5.5 (Ubuntu) | Low | Fix Released |
Bug #179447: Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
179447 | Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed | tomcat5.5 (Ubuntu) | Medium | Fix Released | ||
179447 | Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed | tomcat5.5 (Debian) | Unknown | Fix Released | ||
179447 | Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed | tomcat5.5 (Ubuntu Hardy) | High | Fix Released |
Bug #212521: Installation fails even if openjdk-6-jdk is installed
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
212521 | Installation fails even if openjdk-6-jdk is installed | tomcat5.5 (Ubuntu) | Medium | Fix Released | ||
212521 | Installation fails even if openjdk-6-jdk is installed | tomcat5.5 (Debian) | Unknown | Fix Released | ||
212521 | Installation fails even if openjdk-6-jdk is installed | tomcat5.5 (Ubuntu Hardy) | Undecided | Fix Released |
Bug #256802: tomcat <6.0.18: Directory Traversal (CVE-2008-2938)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat6 (Ubuntu) | Undecided | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat5.5 (Ubuntu) | Low | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat6 (Gentoo Linux) | Critical | Invalid | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat5.5 (Debian) | Unknown | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat5.5 (Ubuntu Hardy) | Low | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat6 (Ubuntu Hardy) | Undecided | Invalid |
Bug #256922: Information disclosure vulnerability (CVE-2008-2370)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat6 (Ubuntu) | Undecided | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat5.5 (Ubuntu) | Medium | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat5.5 (Debian) | Unknown | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat5.5 (Ubuntu Hardy) | Medium | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat6 (Ubuntu Hardy) | Undecided | Invalid |
Bug #256926: Cross-site scripting through sendError (CVE-2008-1232)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat6 (Ubuntu) | Undecided | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat5.5 (Ubuntu) | Low | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat5.5 (Debian) | Unknown | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat5.5 (Ubuntu Hardy) | Low | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat6 (Ubuntu Hardy) | Undecided | Invalid |
Bug #260016: Update to Tomcat 6.0.18
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
260016 | Update to Tomcat 6.0.18 | tomcat6 (Ubuntu) | Wishlist | Fix Released |
Bug #270553: Cross-site scripting in host-manager webapp (CVE-2008-1947)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
270553 | Cross-site scripting in host-manager webapp (CVE-2008-1947) | tomcat5.5 (Ubuntu) | Low | Invalid | ||
270553 | Cross-site scripting in host-manager webapp (CVE-2008-1947) | tomcat5.5 (Ubuntu Hardy) | Low | Fix Released |
Bug #298043: Please merge tomcat5.5 5.5.26-5 (universe) from Debian unstable (main)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
298043 | Please merge tomcat5.5 5.5.26-5 (universe) from Debian unstable (main) | tomcat5.5 (Ubuntu) | Wishlist | Fix Released |
Bug #298051: tomcat5.5 initscript "status" action always return 0
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
298051 | tomcat5.5 initscript "status" action always return 0 | tomcat5.5 (Ubuntu) | Low | Fix Released |
See the
CVE page on Mitre.org
for more details.