CVE-2009-2693

EPSS 15.32%
Veröffentlicht 28.01.2010 20:30:01
Zuletzt bearbeitet 11.04.2025 00:51:21
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 50

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Apache ≫ Tomcat Version5.5.0

Apache ≫ Tomcat Version5.5.1

Apache ≫ Tomcat Version5.5.2

Apache ≫ Tomcat Version5.5.3

Apache ≫ Tomcat Version5.5.4

Apache ≫ Tomcat Version5.5.5

Apache ≫ Tomcat Version5.5.6

Apache ≫ Tomcat Version5.5.7

Apache ≫ Tomcat Version5.5.8

Apache ≫ Tomcat Version5.5.9

Apache ≫ Tomcat Version5.5.10

Apache ≫ Tomcat Version5.5.11

Apache ≫ Tomcat Version5.5.12

Apache ≫ Tomcat Version5.5.13

Apache ≫ Tomcat Version5.5.14

Apache ≫ Tomcat Version5.5.15

Apache ≫ Tomcat Version5.5.16

Apache ≫ Tomcat Version5.5.17

Apache ≫ Tomcat Version5.5.18

Apache ≫ Tomcat Version5.5.19

Apache ≫ Tomcat Version5.5.20

Apache ≫ Tomcat Version5.5.21

Apache ≫ Tomcat Version5.5.22

Apache ≫ Tomcat Version5.5.23

Apache ≫ Tomcat Version5.5.24

Apache ≫ Tomcat Version5.5.25

Apache ≫ Tomcat Version5.5.26

Apache ≫ Tomcat Version5.5.27

Apache ≫ Tomcat Version5.5.28

Apache ≫ Tomcat Version6.0

Apache ≫ Tomcat Version6.0.0

Apache ≫ Tomcat Version6.0.1

Apache ≫ Tomcat Version6.0.2

Apache ≫ Tomcat Version6.0.3

Apache ≫ Tomcat Version6.0.4

Apache ≫ Tomcat Version6.0.5

Apache ≫ Tomcat Version6.0.6

Apache ≫ Tomcat Version6.0.7

Apache ≫ Tomcat Version6.0.8

Apache ≫ Tomcat Version6.0.9

Apache ≫ Tomcat Version6.0.10

Apache ≫ Tomcat Version6.0.11

Apache ≫ Tomcat Version6.0.12

Apache ≫ Tomcat Version6.0.13

Apache ≫ Tomcat Version6.0.14

Apache ≫ Tomcat Version6.0.15

Apache ≫ Tomcat Version6.0.16

Apache ≫ Tomcat Version6.0.17

Apache ≫ Tomcat Version6.0.18

Apache ≫ Tomcat Version6.0.19

Apache ≫ Tomcat Version6.0.20

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	15.32%	0.94

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.8	8.6	4.9	AV:N/AC:M/Au:N/C:N/I:P/A:P

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://tomcat.apache.org/security-5.html

Patch

Vendor Advisory

http://tomcat.apache.org/security-6.html

Patch

Vendor Advisory

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html

http://support.apple.com/kb/HT4077

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E