4.3

CVE-2015-5174

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DebianDebian Linux Version7.0
DebianDebian Linux Version8.0
ApacheTomcat Version6.0.0
ApacheTomcat Version6.0.0 Updatealpha
ApacheTomcat Version6.0.1
ApacheTomcat Version6.0.1 Updatealpha
ApacheTomcat Version6.0.2
ApacheTomcat Version6.0.2 Updatealpha
ApacheTomcat Version6.0.2 Updatebeta
ApacheTomcat Version6.0.4
ApacheTomcat Version6.0.4 Updatealpha
ApacheTomcat Version6.0.10
ApacheTomcat Version6.0.11
ApacheTomcat Version6.0.13
ApacheTomcat Version6.0.14
ApacheTomcat Version6.0.16
ApacheTomcat Version6.0.18
ApacheTomcat Version6.0.20
ApacheTomcat Version6.0.24
ApacheTomcat Version6.0.26
ApacheTomcat Version6.0.28
ApacheTomcat Version6.0.29
ApacheTomcat Version6.0.30
ApacheTomcat Version6.0.32
ApacheTomcat Version6.0.33
ApacheTomcat Version6.0.35
ApacheTomcat Version6.0.36
ApacheTomcat Version6.0.37
ApacheTomcat Version6.0.39
ApacheTomcat Version6.0.41
ApacheTomcat Version6.0.43
ApacheTomcat Version6.0.44
ApacheTomcat Version7.0.0 Updatebeta
ApacheTomcat Version7.0.2 Updatebeta
ApacheTomcat Version7.0.4 Updatebeta
ApacheTomcat Version7.0.5 Updatebeta
ApacheTomcat Version7.0.6
ApacheTomcat Version7.0.10
ApacheTomcat Version7.0.11
ApacheTomcat Version7.0.12
ApacheTomcat Version7.0.14
ApacheTomcat Version7.0.16
ApacheTomcat Version7.0.19
ApacheTomcat Version7.0.20
ApacheTomcat Version7.0.21
ApacheTomcat Version7.0.22
ApacheTomcat Version7.0.23
ApacheTomcat Version7.0.25
ApacheTomcat Version7.0.26
ApacheTomcat Version7.0.27
ApacheTomcat Version7.0.28
ApacheTomcat Version7.0.29
ApacheTomcat Version7.0.30
ApacheTomcat Version7.0.32
ApacheTomcat Version7.0.33
ApacheTomcat Version7.0.34
ApacheTomcat Version7.0.35
ApacheTomcat Version7.0.37
ApacheTomcat Version7.0.39
ApacheTomcat Version7.0.40
ApacheTomcat Version7.0.41
ApacheTomcat Version7.0.42
ApacheTomcat Version7.0.47
ApacheTomcat Version7.0.50
ApacheTomcat Version7.0.52
ApacheTomcat Version7.0.53
ApacheTomcat Version7.0.54
ApacheTomcat Version7.0.55
ApacheTomcat Version7.0.56
ApacheTomcat Version7.0.57
ApacheTomcat Version7.0.59
ApacheTomcat Version7.0.61
ApacheTomcat Version7.0.62
ApacheTomcat Version7.0.63
ApacheTomcat Version7.0.64
ApacheTomcat Version8.0.0 Updaterc1
ApacheTomcat Version8.0.0 Updaterc10
ApacheTomcat Version8.0.0 Updaterc3
ApacheTomcat Version8.0.0 Updaterc5
ApacheTomcat Version8.0.1
ApacheTomcat Version8.0.11
ApacheTomcat Version8.0.12
ApacheTomcat Version8.0.14
ApacheTomcat Version8.0.15
ApacheTomcat Version8.0.17
ApacheTomcat Version8.0.18
ApacheTomcat Version8.0.20
ApacheTomcat Version8.0.21
ApacheTomcat Version8.0.22
ApacheTomcat Version8.0.23
ApacheTomcat Version8.0.24
ApacheTomcat Version8.0.26
CanonicalUbuntu Linux Version12.04 SwEditionlts
CanonicalUbuntu Linux Version14.04 SwEditionlts
CanonicalUbuntu Linux Version15.10
CanonicalUbuntu Linux Version16.04 SwEditionlts
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 12.56% 0.957
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://tomcat.apache.org/security-6.html
Vendor Advisory
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
http://tomcat.apache.org/security-7.html
Vendor Advisory
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
http://tomcat.apache.org/security-8.html
Vendor Advisory
http://www.debian.org/security/2016/dsa-3530
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
http://www.debian.org/security/2016/dsa-3552
http://marc.info/?l=bugtraq&m=145974991225029&w=2
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html
http://rhn.redhat.com/errata/RHSA-2016-1435.html
http://rhn.redhat.com/errata/RHSA-2016-2045.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
http://seclists.org/bugtraq/2016/Feb/149
http://svn.apache.org/viewvc?view=revision&revision=1696281
http://svn.apache.org/viewvc?view=revision&revision=1696284
http://svn.apache.org/viewvc?view=revision&revision=1700897
http://svn.apache.org/viewvc?view=revision&revision=1700898
http://svn.apache.org/viewvc?view=revision&revision=1700900
http://www.debian.org/security/2016/dsa-3609
http://www.securityfocus.com/bid/83329
http://www.securitytracker.com/id/1035070
http://www.ubuntu.com/usn/USN-3024-1
https://access.redhat.com/errata/RHSA-2016:1432
https://access.redhat.com/errata/RHSA-2016:1433
https://access.redhat.com/errata/RHSA-2016:1434
https://bto.bluecoat.com/security-advisory/sa118
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E
https://security.gentoo.org/glsa/201705-09
https://security.netapp.com/advisory/ntap-20180531-0001/