456120 – (CVE-2008-2938) CVE-2008-2938 tomcat Unicode directory traversal vulnerability

Bug 456120 (CVE-2008-2938) - CVE-2008-2938 tomcat Unicode directory traversal vulnerability

Summary: CVE-2008-2938 tomcat Unicode directory traversal vulnerability

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2008-2938
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	456214 456216 460125 460126 460127 460131 460132 460177 460646 460647 466471 466472 466473 470243 470244
Blocks:
TreeView+	depends on / blocked

Reported:	2008-07-21 16:29 UTC by Marc Schoenefeld
Modified:	2019-09-29 12:25 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2013-07-03 06:47:30 UTC
Embargoed:

Attachments	(Terms of Use)
Patch for Tomcat 5.5.23 (2.51 KB, patch) 2008-07-21 16:31 UTC, Marc Schoenefeld	no flags	Details \| Diff
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2008:0648	normal	SHIPPED_LIVE	Important: tomcat security update	2008-08-27 17:13:49 UTC
Red Hat Product Errata	RHSA-2008:0862	normal	SHIPPED_LIVE	Important: tomcat security update	2008-10-02 14:03:32 UTC
Red Hat Product Errata	RHSA-2008:0864	normal	SHIPPED_LIVE	Important: tomcat security update	2008-10-02 14:02:59 UTC
Red Hat Product Errata	RHSA-2008:0877	normal	SHIPPED_LIVE	Important: jbossweb security update	2008-09-22 13:32:27 UTC
Red Hat Product Errata	RHSA-2008:1007	normal	SHIPPED_LIVE	Low: tomcat security update for Red Hat Network Satellite Server	2008-12-08 09:02:54 UTC

Description Marc Schoenefeld 2008-07-21 16:29:01 UTC

Tomcat allows remote attackers to access local resources via directory
traversal, iff the following two modifications have been applied
- URIEncoding in server.xml (tag Connector) is set to "UTF-8" 
- allowLinking in context.xml (tag Context) is set to "true"

Comment 13 Fedora Update System 2008-09-05 17:10:40 UTC

tomcat6-6.0.18-1.1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tomcat6-6.0.18-1.1.fc9

Comment 14 Fedora Update System 2008-09-11 17:17:08 UTC

tomcat6-6.0.18-1.1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2008-09-15 18:12:21 UTC

tomcat5-5.5.27-0jpp.1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.1.fc8

Comment 16 Fedora Update System 2008-09-15 20:13:58 UTC

tomcat5-5.5.27-0jpp.2.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc9

Comment 17 Fedora Update System 2008-09-15 20:16:30 UTC

tomcat5-5.5.27-0jpp.2.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/tomcat5-5.5.27-0jpp.2.fc8

Comment 18 Fedora Update System 2008-09-16 23:25:01 UTC

tomcat5-5.5.27-0jpp.2.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2008-09-16 23:28:26 UTC

tomcat5-5.5.27-0jpp.2.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.