 |
|
|
|
Apache Tomcat multiple security vulnerabilities
updated since 01.08.2008 | | Published: |  | 28.01.2009 | | Source: |  | BUGTRAQ | | SecurityVulns ID: |  | 9193 | | Type: |  | remote | | Level: |  | 6/10 | | Description: |  | Crossite scripting, information leak. |
| Affected: |  | APACHE : Tomcat 4.1 | | | | APACHE : Tomcat 5.5 | | | | APACHE : Tomcat 6.0 | | | | CA : Cohesion Application Configuration Manager 4.5 | | CVE: |  | CVE-2008-2938 (Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.) | | | | CVE-2008-2370 (Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter.) | | | | CVE-2008-1232 |
|
|
|
|
|
|
|
|
