Bug 1265698 (CVE-2015-5174)
| Summary: | CVE-2015-5174 tomcat: URL Normalization issue | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Timothy Walsh <twalsh> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | aogburn, csutherl, jclere, jdoyle, lgao, mbabacek, myarboro, pslavice, rsvoboda, security-response-team, twalsh, weli, yozone |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | tomcat 6.0.45, tomcat 7.0.65, tomcat 8.0.27 | Doc Type: | Bug Fix |
| Doc Text: |
A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-08 02:43:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1265704, 1273410, 1311095, 1311102, 1315982, 1315983, 1347128, 1347129, 1351915, 1367051, 1367052 | ||
| Bug Blocks: | 1265668, 1311109 | ||
|
Description
Timothy Walsh
2015-09-23 13:47:58 UTC
Public via: http://seclists.org/bugtraq/2016/Feb/149 Upstream patches: Tomcat6: http://svn.apache.org/viewvc?view=revision&revision=1700900 Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1696284 http://svn.apache.org/viewvc?view=revision&revision=1700898 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1696281 http://svn.apache.org/viewvc?view=revision&revision=1700897 When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form "/.." were not rejected. Note that paths starting with "/../" were correctly rejected. This bug allowed malicious web applications running under a security manager to obtain a directory listing for the directory in which the web application had been deployed. This should not be possible when running under a security manager. Typically, the directory listing that would be exposed would be for $CATALINA_BASE/webapps. External references: http://seclists.org/bugtraq/2016/Feb/149 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2016:1435 https://rhn.redhat.com/errata/RHSA-2016-1435.html This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434 This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432 This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html |