CVE-2008-2938

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 13-08-2008 02:41

Last modified: - 03-02-2022 08:45

Total changes: - 2

Description

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

Common Vulnerability Scoring System (CVSS)

AV:N/AC:M/Au:N/C:P/I:N/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

None

Integrity

Privileges required

Scope

User interaction

4.3

Base score

8.6

2.9

Exploitability score

Impact score

Verification logic

vendor=apache AND product=Tomcat AND versionEndIncluding=4.1.37 AND versionStartIncluding=4.0.0

vendor=apache AND product=Tomcat AND versionEndIncluding=5.5.26 AND versionStartIncluding=5.0.0

vendor=apache AND product=Tomcat AND versionEndIncluding=6.0.16 AND versionStartIncluding=6.0.0

Reference

http://tomcat.apache.org/security-6.html
30633-Third Party Advisory, VDB Entry
RHSA-2008:0648-Third Party Advisory
VU#343355-Third Party Advisory, US Government Resource
31639-Broken Link
1020665-Third Party Advisory, VDB Entry
http://tomcat.apache.org/security-4.html
http://tomcat.apache.org/security-5.html
MDVSA-2008:188-Third Party Advisory
FEDORA-2008-8113-Third Party Advisory
SUSE-SR:2008:018-Third Party Advisory
31891-Broken Link
FEDORA-2008-8130-Third Party Advisory
31865-Broken Link
FEDORA-2008-7977-Third Party Advisory
RHSA-2008:0862-Third Party Advisory
RHSA-2008:0864-Third Party Advisory
APPLE-SA-2008-10-09-Mailing List, Third Party Advisory
31681-Third Party Advisory, VDB Entry
http://support.apple.com/kb/HT3216
32222-Broken Link
http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm
4148-Third Party Advisory
31982-Broken Link
HPSBUX02401-Third Party Advisory
33797-Broken Link
SUSE-SR:2009:004-Third Party Advisory
32120-Broken Link
32266-Broken Link
http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt
37297-Broken Link
ADV-2009-0320-Third Party Advisory
ADV-2008-2823-Third Party Advisory
ADV-2008-2343-Third Party Advisory
ADV-2008-2780-Third Party Advisory
tomcat-allowlinking-utf8-directory-traversal(44411)-Third Party Advisory, VDB Entry
6229-Third Party Advisory, VDB Entry
oval:org.mitre.oval:def:10587-Tool Signature
20091107 ToutVirtual VirtualIQ Multiple Vulnerabilities-Third Party Advisory, VDB Entry
20080811 Apache Tomcat <= 6.0.18 UTF8 Directory Traversal Vulnerability-Third Party Advisory, VDB Entry
[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/-Mailing List, Vendor Advisory
[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/-Mailing List, Vendor Advisory
[tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/-Mailing List, Vendor Advisory

Keywords

CVE-2008-2938

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2008-2938

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures