Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2902 to the following vulnerability: Name: CVE-2009-2902 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902 Assigned: 20090820 Reference: BUGTRAQ:20100124 [SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory Reference: URL: http://www.securityfocus.com/archive/1/archive/1/509150/100/0/threaded Reference: CONFIRM: http://svn.apache.org/viewvc?rev=892815&view=rev Reference: CONFIRM: http://svn.apache.org/viewvc?rev=902650&view=rev Reference: CONFIRM: http://tomcat.apache.org/security-5.html Reference: CONFIRM: http://tomcat.apache.org/security-6.html Reference: BID:37945 Reference: URL: http://www.securityfocus.com/bid/37945 Reference: SECTRACK:1023504 Reference: URL: http://securitytracker.com/id?1023504 Reference: SECUNIA:38316 Reference: URL: http://secunia.com/advisories/38316 Reference: SECUNIA:38346 Reference: URL: http://secunia.com/advisories/38346 Reference: VUPEN:ADV-2010-0213 Reference: URL: http://www.vupen.com/english/advisories/2010/0213 Reference: XF:apache-tomcat-war-directory-traversal(55857) Reference: URL: http://xforce.iss.net/xforce/xfdb/55857 Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.
The patch file is attached to https://bugzilla.redhat.com/show_bug.cgi?id=559738. The fix was checked in upstream as one submission.
This issue has been addressed in following products: JBEWS 1.0.0 for RHEL 4 JBEWS 1.0.0 for RHEL 5 Via RHSA-2010:0119 https://rhn.redhat.com/errata/RHSA-2010-0119.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2010:0580 https://rhn.redhat.com/errata/RHSA-2010-0580.html
This issue has been addressed in following products: RHAPS Version 2 for RHEL 4 Via RHSA-2010:0582 https://rhn.redhat.com/errata/RHSA-2010-0582.html
This issue has been addressed in following products: Red Hat Certificate System 7.3 Via RHSA-2010:0693 https://rhn.redhat.com/errata/RHSA-2010-0693.html