Bugzilla – Bug 967967
VUL-0: CVE-2015-5174: tomcat6, tomcat: URL Normalization issue
Last modified: 2018-08-23 16:08:15 UTC
http://seclists.org/bugtraq/2016/Feb/149 CVE-2015-5174 Apache Tomcat Limited Directory Traversal Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.64 - - Apache Tomcat 8.0.0.RC1 to 8.0.26 - - Apache Tomcat 9 is not affected - - Earlier, unsupported Tomcat versions may be affected Description: When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form "/.." were not rejected. Note that paths starting with "/../" were correctly rejected. This bug allowed malicious web applications running under a security manager to obtain a directory listing for the directory in which the web application had been deployed. This should not be possible when running under a security manager. Typically, the directory listing that would be exposed would be for $CATALINA_BASE/webapps. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.27 or later - - Upgrade to Apache Tomcat 7.0.65 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html References: https://bugzilla.redhat.com/show_bug.cgi?id=1265698 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-5174.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174
bugbot adjusting priority
SUSE-SU-2016:0769-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 967812,967814,967815,967964,967965,967966,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): tomcat-8.0.32-3.1
SUSE-SU-2016:0822-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 967812,967814,967815,967964,967965,967966,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763 Sources used: SUSE Linux Enterprise Server 12 (src): tomcat-7.0.68-7.6.1
SUSE-SU-2016:0839-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 934219,967815,967964,967965,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2016-0706,CVE-2016-0714 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): tomcat6-6.0.45-0.50.1
openSUSE-SU-2016:0865-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 967812,967814,967815,967964,967965,967966,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763 Sources used: openSUSE Leap 42.1 (src): tomcat-8.0.32-5.1
Tomcat was patched. This can be closed.
released