CVE-2008-5515 — tomcat5.5 - several

Description

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

How to fix CVE-2008-5515

To remediate CVE-2008-5515, upgrade the affected package to a fixed version below.

—upgrade to 5.5.26-5lenny2 or later
—upgrade to 4.1.40 or later

Is CVE-2008-5515 being exploited?

Likely — EPSS is 71.8%, placing CVE-2008-5515 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (2)

from 0, < 5.5.26-5lenny2
>= 4.1.0, < 4.1.40

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (33)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-5515
PATCHgithub.com/apache/tomcat
WEBjvn.jp/en/jp/JVN63832775/index.html
WEBlists.apple.com/archives/security-announce/2010//Mar/msg00001.html
WEB