CVE-2008-2938

MEDIUM severity · CVSS 4.3 · Path traversal

4.3CVSS MEDIUM

Summary

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

Impact & exploitability

Attack vectorNetwork

Attack complexity—

Privileges required—

User interaction—

Confidentiality impact—

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)93%

AV:N/AC:M/Au:N/C:P/I:N/A:N

Affected products we track (1)

Apache Tomcat

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.htmlAdvisory
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.htmlAdvisory
http://marc.info/?l=bugtraq&m=123376588623823&w=2Advisory
http://secunia.com/advisories/31639
http://secunia.com/advisories/31865
http://secunia.com/advisories/31891
http://secunia.com/advisories/31982