CVE-2006-3835 — Apache Tomcat Reveals Directories

Description

Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (`;`) preceding a filename with a mapped extension, as demonstrated by URLs ending with `/;index.jsp` and `/;help.do`.

How to fix CVE-2006-3835

To remediate CVE-2006-3835, upgrade the affected package to a fixed version below.

Maven/org.apache.tomcat:tomcat—upgrade to 5.5.17 or later

Is CVE-2006-3835 being exploited?

Likely — EPSS is 51.5%, placing CVE-2006-3835 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

>= 5.0.0, < 5.5.17

References (27)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-3835
PATCHgithub.com/apache/tomcat
WEBarchives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html
WEBcommunity.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx