URL Normalisation issue A directory traversal vulnerability exists in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 that allows a remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Public via: http://seclists.org/bugtraq/2016/Feb/149 Upstream patches: Tomcat6: http://svn.apache.org/viewvc?view=revision&revision=1700900 Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1696284 http://svn.apache.org/viewvc?view=revision&revision=1700898 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1696281 http://svn.apache.org/viewvc?view=revision&revision=1700897
When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form "/.." were not rejected. Note that paths starting with "/../" were correctly rejected. This bug allowed malicious web applications running under a security manager to obtain a directory listing for the directory in which the web application had been deployed. This should not be possible when running under a security manager. Typically, the directory listing that would be exposed would be for $CATALINA_BASE/webapps. External references: http://seclists.org/bugtraq/2016/Feb/149
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2016:1435 https://rhn.redhat.com/errata/RHSA-2016-1435.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2016:1434 https://access.redhat.com/errata/RHSA-2016:1434
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:1432 https://access.redhat.com/errata/RHSA-2016:1432
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2016:1433 https://access.redhat.com/errata/RHSA-2016:1433
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html