Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
                
            Metrics
Affected Vendors & Products
References
        History
                    No history.
 MITRE
                        MITRE
                    Status: PUBLISHED
Assigner: redhat
Published: 2009-06-16T20:26:00
Updated: 2024-08-07T10:56:46.803Z
Reserved: 2008-12-12T00:00:00
Link: CVE-2008-5515
 Vulnrichment
                        Vulnrichment
                    No data.
 NVD
                        NVD
                    Status : Deferred
Published: 2009-06-16T21:00:00.313
Modified: 2025-04-09T00:30:58.490
Link: CVE-2008-5515
 Redhat
                        Redhat