Skip to content

Apache Tomcat Directory Traversal vulnerability

Moderate severity GitHub Reviewed Published May 1, 2022 to the GitHub Advisory Database • Updated Feb 23, 2024

Package

maven org.apache.tomcat:tomcat (Maven)

Affected versions

>= 4.1.0, <= 4.1.37
>= 5.5.0, <= 5.5.26
>= 6.0.0, <= 6.0.16

Patched versions

4.1.39
5.5.27
6.0.18

Description

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

References

Published by the National Vulnerability Database Aug 13, 2008
Published to the GitHub Advisory Database May 1, 2022
Reviewed Feb 23, 2024
Last updated Feb 23, 2024

Severity

Moderate

EPSS score

96.276%
(100th percentile)

Weaknesses

CVE ID

CVE-2008-2938

GHSA ID

GHSA-m7xj-ccqc-p4g2

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.