what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 11 of 11 RSS Feed

CVE-2008-5515

Status Candidate

Overview

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

Related Files

HP Security Bulletin HPSBUX02860 SSRT101146
Posted Apr 1, 2013
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX02860 SSRT101146 - Potential security vulnerabilities have been identified with HP-UX Apache running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass, unauthorized modification, and other vulnerabilities. Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability
systems | hpux
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2902, CVE-2009-3548, CVE-2010-1157, CVE-2010-2227, CVE-2010-3718, CVE-2010-4476, CVE-2011-0013, CVE-2011-1184, CVE-2011-2204, CVE-2011-2526, CVE-2011-2729, CVE-2011-3190, CVE-2011-4858, CVE-2012-0022, CVE-2012-5885
SHA-256 | 3a2ec4c66b8a63342dc058e636fe5628f6ab4c3fd27f829156c41caf8a44c2d1
Gentoo Linux Security Advisory 201206-24
Posted Jun 24, 2012
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201206-24 - Multiple vulnerabilities were found in Apache Tomcat, the worst of which allowing to read, modify and overwrite arbitrary files. Versions 5.5.34 are affected.

tags | advisory, arbitrary, vulnerability
systems | linux, gentoo
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2010-1157, CVE-2010-2227, CVE-2010-3718, CVE-2010-4172, CVE-2010-4312, CVE-2011-0013, CVE-2011-0534, CVE-2011-1088, CVE-2011-1183, CVE-2011-1184, CVE-2011-1419, CVE-2011-1475, CVE-2011-1582, CVE-2011-2204, CVE-2011-2481, CVE-2011-2526, CVE-2011-2729, CVE-2011-3190, CVE-2011-3375, CVE-2011-4858
SHA-256 | 2554deef0443d375e952662e346879fa72a6339fcb77237d7e198b3b4d27ff87
Debian Security Advisory 2207-1
Posted Mar 30, 2011
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2207-1 - Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal.

tags | advisory, denial of service, vulnerability, xss, info disclosure
systems | linux, debian
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2902, CVE-2010-1157, CVE-2010-2227
SHA-256 | 5c4dd5ef21c9a6c2c4831755da943d32c7912b393cfbacd027bf90286862032f
HP Security Bulletin HPSBUX02579 SSRT100203
Posted Nov 27, 2010
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX02579 SSRT100203 - Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to disclose information, allows unauthorized modification, or create a Denial of Service (DoS). The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite. Revision 1 of this advisory.

tags | advisory, web, denial of service, vulnerability
systems | hpux
advisories | CVE-2008-5515
SHA-256 | f8eadb7337f43d95a2d20a922510ba629ecb49788075450fce5fe7205083cf52
Mandriva Linux Security Advisory 2010-176
Posted Sep 13, 2010
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2010-176 - Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle characters or sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked this issue exists because of an incomplete fix for CVE-2007-3385. Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via. sequences and the WEB-INF directory in a Request. Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. Other issues have also been addressed.

tags | advisory, java, remote, web, denial of service
systems | linux, mandriva
advisories | CVE-2007-5333, CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0783, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2010-1157, CVE-2010-2227
SHA-256 | fc7dd9c0367dbd633972bba44e45df2449d43149c7f42f5e75fdc5df99893222
HP Security Bulletin HPSBMA02535 SSRT100029
Posted May 19, 2010
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential security vulnerabilities have been identified with HP Performance Manager. The vulnerabilities could be exploited remotely to allow unauthorized access, cross site scripting (XSS), and Denial of Service (DoS).

tags | advisory, denial of service, vulnerability, xss
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548
SHA-256 | 2c9b1c503df2fefd5092de5894496816bf76e18ffa64a7cafd5f0b0d8a696bad
HP Security Bulletin HPSBUX02466 SSRT090192
Posted Oct 23, 2009
Authored by Hewlett Packard | Site hp.com

HP Security Bulletin - Potential security vulnerabilities have been identified with HP-UX running Tomcat-based Servlet Engine. The vulnerabilities could be exploited remotely to cause a Denial of Service (DoS) or unauthorized access. Tomcat-based Servlet Engine is contained in the Apache Web Server Suite.

tags | advisory, web, denial of service, vulnerability
systems | hpux
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783
SHA-256 | 62cfcd445dd3a0cdbbbf4799a5537b3b34fd9cac42db9999e84fe88b1fb68bac
Mandriva Linux Security Advisory 2009-163
Posted Jul 28, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-163 - Multiple security vulnerabilities has been identified and fixed in tomcat5. These range from denial of service to cross site scripting issues. The updated packages have been patched to prevent this. Additionally Apache Tomcat has been upgraded to the latest 5.5.27 version for MES5.

tags | advisory, denial of service, vulnerability, xss
systems | linux, mandriva
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783
SHA-256 | ab70b93440f120a27479d7e847e3bc2dbd0716dcc7ab17f8b920c7145bb7bf75
Mandriva Linux Security Advisory 2009-138
Posted Jun 23, 2009
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2009-138 - Multiple security vulnerabilities have been identified and fixed in tomcat5. These problems range from cross site scripting to directory traversal issues. The updated packages have been patched to prevent this. Additionally, Apache Tomcat has been upgraded to the latest 5.5.27 version for 2009.0.

tags | advisory, vulnerability, xss
systems | linux, mandriva
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783
SHA-256 | 332b74194aca97203eedd7da4595ab4f1fdc87fbade037addae3ce8b81d3370b
Ubuntu Security Notice 788-1
Posted Jun 15, 2009
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice USN-788-1 - Iida Minehiko discovered that Tomcat did not properly normalise paths. A remote attacker could send specially crafted requests to the server and bypass security restrictions, gaining access to sensitive content. Yoshihito Fukuyama discovered that Tomcat did not properly handle errors when the Java AJP connector and mod_jk load balancing are used. A remote attacker could send specially crafted requests containing invalid headers to the server and cause a temporary denial of service. D. Matscheko and T. Hackner discovered that Tomcat did not properly handle malformed URL encoding of passwords when FORM authentication is used. A remote attacker could exploit this in order to enumerate valid usernames. Deniz Cevik discovered that Tomcat did not properly escape certain parameters in the example calendar application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. Philippe Prados discovered that Tomcat allowed web applications to replace the XML parser used by other web applications. Local users could exploit this to bypass security restrictions and gain access to certain sensitive files.

tags | advisory, java, remote, web, denial of service, local, vulnerability, xss
systems | linux, ubuntu
advisories | CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783
SHA-256 | 03c46ab8e039d95b3d68d8fff432ef9ad26a6c0edc896dd0c164b176129017f4
Apache Tomcat Information Disclosure
Posted Jun 9, 2009
Authored by Mark Thomas | Site tomcat.apache.org

When using a RequestDispatcher obtained from the Request in Apache Tomcat, the target path was normalized before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Versions affected include Tomcat 6.0.0 to 6.0.18, Tomcat 5.5.0 to 5.5.27, and Tomcat 4.1.0 to 4.1.39.

tags | exploit, web
advisories | CVE-2008-5515
SHA-256 | c0a0a2a9804149cddfa6d775c7f68367d06311ea65f71bbd9aad52799158a793
Page 1 of 1
Back1Next

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close