exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CVE-2008-2938.txt

CVE-2008-2938.txt
Posted Sep 10, 2008
Authored by Mark Thomas | Site tomcat.apache.org

Apache Tomcat versions 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 suffer from an information disclosure vulnerability.

tags | advisory, info disclosure
advisories | CVE-2008-2938
SHA-256 | 336ae34f18a11aaa4141e2fcd7aeb318b8b924dd30a3de3cafb02c982c3cd061

CVE-2008-2938.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated

Severity: Important (was moderate)

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description (new information):
Further investigation of CVE-2008-2938 has shown that the vulnerability
also exists only with URIEncoding="UTF-8" set on the connector. In these
configurations arbitrary files in the docBase for an application,
including files such as web.xml, may be disclosed.
Users should also be aware that this vulnerability will apply when
processing requests with UTF-8 body encoding and
useBodyEncodingForURI="true"

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should obtain the latest source from svn or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=681065

Example:
http://www.target.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml

Credit:
This additional information was discovered by the Apache Tomcat security
team.

References:
http://tomcat.apache.org/security.html

Mark Thomas


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8
CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ
=Fi0E
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close