Bug 1265698 (CVE-2015-5174) - CVE-2015-5174 tomcat: URL Normalization issue
Summary: CVE-2015-5174 tomcat: URL Normalization issue
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5174
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1265704 1273410 1311095 1311102 1315982 1315983 1347128 1347129 1351915 1367051 1367052
Blocks: 1265668 1311109
TreeView+ depends on / blocked
 
Reported: 2015-09-23 13:47 UTC by Timothy Walsh
Modified: 2021-02-17 04:54 UTC (History)
13 users (show)

Fixed In Version: tomcat 6.0.45, tomcat 7.0.65, tomcat 8.0.27
Doc Type: Bug Fix
Doc Text:
A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:43:42 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1432 0 normal SHIPPED_LIVE Critical: jboss-ec2-eap security, bug fix, and enhancement update 2016-07-18 23:41:10 UTC
Red Hat Product Errata RHSA-2016:1433 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update 2016-07-18 23:44:33 UTC
Red Hat Product Errata RHSA-2016:1434 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform update 2016-07-18 23:39:47 UTC
Red Hat Product Errata RHSA-2016:1435 0 normal SHIPPED_LIVE Critical: Red Hat JBoss Enterprise Application Platform 6.4.9 update 2016-07-19 01:21:04 UTC
Red Hat Product Errata RHSA-2016:2045 0 normal SHIPPED_LIVE Important: tomcat6 security and bug fix update 2016-10-11 00:38:52 UTC
Red Hat Product Errata RHSA-2016:2599 0 normal SHIPPED_LIVE Moderate: tomcat security, bug fix, and enhancement update 2016-11-03 12:12:12 UTC

Description Timothy Walsh 2015-09-23 13:47:58 UTC
URL Normalisation issue

A directory traversal vulnerability exists in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 that allows a remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Comment 7 Andrej Nemec 2016-02-23 11:52:07 UTC
When accessing resources via the ServletContext methods getResource()
getResourceAsStream() and getResourcePaths() the paths should be limited
to the current web application. The validation was not correct and paths
of the form "/.." were not rejected. Note that paths starting with
"/../" were correctly rejected.
This bug allowed malicious web applications running under a security
manager to obtain a directory listing for the directory in which the web
application had been deployed. This should not be possible when running
under a security manager. Typically, the directory listing that would be
exposed would be for $CATALINA_BASE/webapps.

External references:

http://seclists.org/bugtraq/2016/Feb/149

Comment 12 errata-xmlrpc 2016-07-18 19:07:05 UTC
This issue has been addressed in the following products:

   Red Hat JBoss Enterprise Application Platform

Via RHSA-2016:1435 https://rhn.redhat.com/errata/RHSA-2016-1435.html

Comment 13 errata-xmlrpc 2016-07-18 19:41:50 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 7

Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434

Comment 14 errata-xmlrpc 2016-07-18 19:42:31 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432

Comment 15 errata-xmlrpc 2016-07-18 19:45:41 UTC
This issue has been addressed in the following products:

  JBEAP 6.4.z for RHEL 6

Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433

Comment 19 errata-xmlrpc 2016-10-10 20:42:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html

Comment 20 errata-xmlrpc 2016-11-03 21:09:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html


Note You need to log in before you can comment on or make changes to this bug.