173125 – www-servers/tomcat < 5.5.22 or < 6.0.10 directory traversal (CVE-2007-0450)

Bug 173125 - www-servers/tomcat < 5.5.22 or < 6.0.10 directory traversal (CVE-2007-0450)

Summary: www-servers/tomcat < 5.5.22 or < 6.0.10 directory traversal (CVE-2007-0450)

Status:	RESOLVED DUPLICATE of bug 173122

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/24732/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2007-04-02 11:49 UTC by Pierre-Yves Rofes (RETIRED)
Modified:	2020-03-28 22:35 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-04-02 11:49:59 UTC

D. Matscheko has reported a security issue in Apache Tomcat, which
can be exploited by malicious people to bypass certain security
restrictions.

If Tomcat is running behind a proxy with context restriction, an
error within the handling of certain path delimiters in requests
('2F', '%5C', and '\') can be exploited to bypass the context
restrictions and may allow access to non-proxied contexts.

The security issue is reported in versions 5.5.0 to 5.5.21, 5.0.0 to 
5.5.0.30, and 6.0.0 to 6.0.9.

arches, please mark versions 5.5.23 and 6.0.10-r1 stable:
keywords for 5.5.23: "~amd64 ppc ppc64 ~x86 ~x86-fbsd" 
keywords for 6.0.10-r1: "~amd64 ~ppc ~x86 ~x86-fbsd"

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2007-04-02 11:57:12 UTC

Duping this one as we already have bug #173122. Uncalling arches until we have a green light from java.

*** This bug has been marked as a duplicate of bug 173122 ***