Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 273662 (CVE-2008-5515)

Summary: <=www-servers/tomcat-{6.0.18, 5.5.27-r3} RequestDispatcher directory traversal (CVE-2008-5515)
Product: Gentoo Security Reporter: Mike Weissman <mike>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: java
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 272566, 273931, 329937    
Bug Blocks: 322979    

Description Mike Weissman 2009-06-10 22:12:00 UTC
Updated to add additional patches required for 5.5.x and 4.1.x

CVE-2008-5515: Apache Tomcat information disclosure vulnerability

Severity: Important

The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18

When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

For a page that contains:
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +
    request.getParameter( "blah" ) ).forward( request, response ); %>

an attacker can use:

This issue was discovered by Iida Minehiko, Fujitsu Limited

Submitting Patches and along with Patches to Ebuild

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-17 10:25:01 UTC
CVE-2008-5515 (
  Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0
  through 6.0.18, and possibly earlier versions normalizes the target
  pathname before filtering the query string when using the
  RequestDispatcher method, which allows remote attackers to bypass
  intended access restrictions and conduct directory traversal attacks
  via .. (dot dot) sequences and the WEB-INF directory in a Request.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-09 16:38:18 UTC
Will be added to glsa request.
Comment 3 Miroslav Šulc gentoo-dev 2011-12-24 20:34:42 UTC
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-09 18:10:48 UTC
This CVE is already on an existing GLSA request, so added the bug too.
Comment 5 Miroslav Šulc gentoo-dev 2012-03-25 20:24:05 UTC
what is the status of this bug? there is no affected version in the tree for quite some time.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:12:14 UTC
This issue was resolved and addressed in
 GLSA 201206-24 at
by GLSA coordinator Tobias Heinlein (keytoaster).