Bug 504753 (CVE-2008-5515) - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability
Summary: CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2008-5515
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Pavel Kralik
URL:
Whiteboard:
Depends On: 504758 504759 504760 504761 528911 528912 528913 528914 533903 533905
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-09 08:19 UTC by Marc Schoenefeld
Modified: 2019-09-29 12:30 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-25 20:11:45 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1143 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 4.2.0.CP07 update 2009-07-06 11:42:19 UTC
Red Hat Product Errata RHSA-2009:1144 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 4.2.0.CP07 update 2009-07-06 11:42:33 UTC
Red Hat Product Errata RHSA-2009:1145 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 4.3.0.CP05 update 2009-07-06 11:41:01 UTC
Red Hat Product Errata RHSA-2009:1146 0 normal SHIPPED_LIVE Important: JBoss Enterprise Application Platform 4.3.0.CP05 update 2009-07-06 11:41:29 UTC
Red Hat Product Errata RHSA-2009:1164 0 normal SHIPPED_LIVE Important: tomcat security update 2009-07-21 20:56:29 UTC
Red Hat Product Errata RHSA-2009:1454 0 normal SHIPPED_LIVE Important: tomcat5 security update 2009-09-23 15:15:12 UTC
Red Hat Product Errata RHSA-2009:1506 0 normal SHIPPED_LIVE Important: tomcat6 security update 2009-10-14 16:15:15 UTC
Red Hat Product Errata RHSA-2009:1562 0 normal SHIPPED_LIVE Important: tomcat security update 2009-11-09 15:26:22 UTC
Red Hat Product Errata RHSA-2009:1563 0 normal SHIPPED_LIVE Important: tomcat security update 2009-11-09 15:37:31 UTC
Red Hat Product Errata RHSA-2009:1616 0 normal SHIPPED_LIVE Low: tomcat security update for Red Hat Network Satellite Server 2009-11-30 15:16:12 UTC
Red Hat Product Errata RHSA-2009:1617 0 normal SHIPPED_LIVE Low: tomcat security update for Red Hat Network Satellite Server 2009-11-30 15:18:07 UTC
Red Hat Product Errata RHSA-2010:0602 0 normal SHIPPED_LIVE Moderate: Red Hat Certificate System 7.3 security update 2010-08-05 14:04:51 UTC

Description Marc Schoenefeld 2009-06-09 08:19:48 UTC
http://marc.info/?l=tomcat-dev&m=124449799021570&w=2

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-5515: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.39
Tomcat 5.5.0 to 5.5.27
Tomcat 6.0.0 to 6.0.18
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
When using a RequestDispatcher obtained from the Request, the target
path was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.

Mitigation:
6.0.x users should upgrade to 6.0.20 or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=734734
5.5.x users should upgrade to 5.5.28 when released or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=782757
4.1.x users should upgrade to 4.1.40 when released or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=782763

Example:
For a page that contains:
<%
request.getRequestDispatcher( "bar.jsp?somepar=someval&par=" +
    request.getParameter( "blah" ) ).forward( request, response );
%>

an attacker can use:
http://host/page.jsp?blah=/../WEB-INF/web.xml

Credit:
This issue was discovered by Iida Minehiko, Fujitsu Limited

References:
http://tomcat.apache.org/security.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkotiBQACgkQb7IeiTPGAkMi6QCgnlzEt/7byUJo2YXGHMLj2ckH
rF8AoK8dmpZcxd5pV9VvEaPqm4xhXJPO
=bDV5
-----END PGP SIGNATURE-----

Comment 4 Marc Schoenefeld 2009-06-10 14:41:53 UTC
5.5.x revision have been extended to: 

This was fixed in revision 782757 and  revision 783291.
(http://tomcat.apache.org/security-5.html)

4.1.x revisions have been extended to: 

This was fixed in revision 782763 and  revision 783292.
(http://tomcat.apache.org/security-4.html)

Comment 5 errata-xmlrpc 2009-07-06 11:41:10 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 5

Via RHSA-2009:1145 https://rhn.redhat.com/errata/RHSA-2009-1145.html

Comment 6 errata-xmlrpc 2009-07-06 11:41:37 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4

Via RHSA-2009:1146 https://rhn.redhat.com/errata/RHSA-2009-1146.html

Comment 7 errata-xmlrpc 2009-07-06 11:42:27 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 5

Via RHSA-2009:1143 https://rhn.redhat.com/errata/RHSA-2009-1143.html

Comment 8 errata-xmlrpc 2009-07-06 11:42:41 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0 for RHEL 4

Via RHSA-2009:1144 https://rhn.redhat.com/errata/RHSA-2009-1144.html

Comment 9 errata-xmlrpc 2009-07-21 20:56:42 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2009:1164 https://rhn.redhat.com/errata/RHSA-2009-1164.html

Comment 10 errata-xmlrpc 2009-09-21 15:51:58 UTC
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 4
  JBEWS 1.0.0 for RHEL 5

Via RHSA-2009:1454 https://rhn.redhat.com/errata/RHSA-2009-1454.html

Comment 14 errata-xmlrpc 2009-10-14 16:15:27 UTC
This issue has been addressed in following products:

  JBEWS 1.0.0 for RHEL 5
  JBEWS 1.0.0 for RHEL 4

Via RHSA-2009:1506 https://rhn.redhat.com/errata/RHSA-2009-1506.html

Comment 15 errata-xmlrpc 2009-11-09 15:26:33 UTC
This issue has been addressed in following products:

  RHAPS Version 2 for RHEL 4

Via RHSA-2009:1562 https://rhn.redhat.com/errata/RHSA-2009-1562.html

Comment 16 errata-xmlrpc 2009-11-09 15:37:43 UTC
This issue has been addressed in following products:

  Red Hat Developer Suite V.3

Via RHSA-2009:1563 https://rhn.redhat.com/errata/RHSA-2009-1563.html

Comment 21 errata-xmlrpc 2009-11-30 15:16:24 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.2
  Red Hat Network Satellite Server v 5.3

Via RHSA-2009:1616 https://rhn.redhat.com/errata/RHSA-2009-1616.html

Comment 22 errata-xmlrpc 2009-11-30 15:18:16 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.1

Via RHSA-2009:1617 https://rhn.redhat.com/errata/RHSA-2009-1617.html

Comment 23 errata-xmlrpc 2010-08-04 21:31:14 UTC
This issue has been addressed in following products:

  Red Hat Certificate System 7.3

Via RHSA-2010:0602 https://rhn.redhat.com/errata/RHSA-2010-0602.html

Comment 24 Kurt Seifried 2011-10-25 20:11:45 UTC
All children bugs are closed, closing parent bug


Note You need to log in before you can comment on or make changes to this bug.