Vulnerability Note VU#343355
Apache Tomcat UTF8 Directory Traversal Vulnerability
Apache Tomcat contains a vulnerability that may allow directory traversal.
Apache Tomcat is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability in the way malformed requests are handled. According to the Apache Tomcat 6.x Vulnerabilities page:
If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files on the server.
This vulnerability affects versions 4.1.0-4.1.37, 5.5.0-5.5.26, and 6.0.0-6.0.16.
Note that we are aware of publicly-available exploit code for this vulnerability.
A remote attacker could gain access to arbitrary files on the server.
Apply an update
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apache Tomcat||Affected||-||19 Aug 2008|
CVSS Metrics (Learn More)
This issue was reported by William A. Rowe of Apache.
This document was written by Chris Taschner.
- CVE IDs: CVE-2008-2938
- Date Public: 11 Aug 2008
- Date First Published: 19 Aug 2008
- Date Last Updated: 19 Aug 2008
- Severity Metric: 7.14
- Document Revision: 4
If you have feedback, comments, or additional information about this vulnerability, please send us email.