Skip to main content

CVE-2015-5174

Severity

6.5

Description

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Project

Apache Tomcat

Category
n/a
Tags
data
Date Disclosed

2016-02-25

Date Discovered

2015-07-01

Apache Tomcat 8.0.x

First release:
2014-06-25
First release:
2018-06-30
0
Support Lifecycle:
Namespace:
javax

Apache Tomcat 7.0.x

First release:
2011-01-14
First release:
2021-03-31
0
Support Lifecycle:
Namespace:
javax
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.