Bug 457934 (CVE-2008-2370)
Summary: | CVE-2008-2370 tomcat RequestDispatcher information disclosure vulnerability | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marc Schoenefeld <mschoene> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | djorm, kreilly |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-07-03 06:52:56 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 458088, 458089, 458097, 458099, 458100, 458443, 458444, 458445, 458634, 458635, 460125, 460126, 460127, 460131, 460132, 470238, 470239 | ||
Bug Blocks: |
Description
Marc Schoenefeld
2008-08-05 16:03:59 UTC
Patch for Tomcat 5.5.x available upstream: http://svn.apache.org/viewvc?rev=680949&view=rev Example: For a page that contains: <% pageContext.forward("/page2.jsp?somepar=someval&par="+request.getParameter("blah")); %> an attacker can use: http://host/page.jsp?blah=/../WEB-INF/web.xml tomcat6-6.0.18-1.1.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/tomcat6-6.0.18-1.1.fc9 tomcat6-6.0.18-1.1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. tomcat5-5.5.27-0jpp.1.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.1.fc8 tomcat5-5.5.27-0jpp.2.fc9 has been submitted as an update for Fedora 9. http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc9 tomcat5-5.5.27-0jpp.2.fc8 has been submitted as an update for Fedora 8. http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc8 tomcat5-5.5.27-0jpp.2.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report. tomcat5-5.5.27-0jpp.2.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html |