CVE-2007-5461 — Apache Tomcat Path Traversal Vulnerability

Description

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

How to fix CVE-2007-5461

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

Maven/org.apache.tomcat:tomcat—no fix listed

Is CVE-2007-5461 being exploited?

Moderate — EPSS is 6.5%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

>= 4.0.0, <= 4.0.6

References (35)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2007-5461
WEBgeronimo.apache.org/2007/10/18/potential-vulnerability-in-apache-tomcat-webdav-servlet.html
WEBissues.apache.org/jira/browse/GERONIMO-3549
WEBlists.apple.com/archives/security-announce/2008//Jun/msg00002.html