Bug 1265698 - (CVE-2015-5174) CVE-2015-5174 tomcat: URL Normalization issue
CVE-2015-5174 tomcat: URL Normalization issue
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20160222,reported=2...
: Security
Depends On: 1265704 1273410 1311095 1311102 1315982 1315983 1347128 1347129 1351915 1367051 1367052
Blocks: 1265668 1311109
  Show dependency treegraph
 
Reported: 2015-09-23 09:47 EDT by Timothy Walsh
Modified: 2016-11-06 00:31 EDT (History)
16 users (show)

See Also:
Fixed In Version: tomcat 6.0.45, tomcat 7.0.65, tomcat 8.0.27
Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Timothy Walsh 2015-09-23 09:47:58 EDT
URL Normalisation issue

A directory traversal vulnerability exists in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 that allows a remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Comment 7 Andrej Nemec 2016-02-23 06:52:07 EST
When accessing resources via the ServletContext methods getResource()
getResourceAsStream() and getResourcePaths() the paths should be limited
to the current web application. The validation was not correct and paths
of the form "/.." were not rejected. Note that paths starting with
"/../" were correctly rejected.
This bug allowed malicious web applications running under a security
manager to obtain a directory listing for the directory in which the web
application had been deployed. This should not be possible when running
under a security manager. Typically, the directory listing that would be
exposed would be for $CATALINA_BASE/webapps.

External references:

http://seclists.org/bugtraq/2016/Feb/149
Comment 12 errata-xmlrpc 2016-07-18 15:07:05 EDT
This issue has been addressed in the following products:

   Red Hat JBoss Enterprise Application Platform

Via RHSA-2016:1435 https://rhn.redhat.com/errata/RHSA-2016-1435.html
Comment 13 errata-xmlrpc 2016-07-18 15:41:50 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434
Comment 14 errata-xmlrpc 2016-07-18 15:42:31 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432
Comment 15 errata-xmlrpc 2016-07-18 15:45:41 EDT
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433
Comment 19 errata-xmlrpc 2016-10-10 16:42:17 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html
Comment 20 errata-xmlrpc 2016-11-03 17:09:24 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html

Note You need to log in before you can comment on or make changes to this bug.