CVE-2015-5174

Description

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

How to fix CVE-2015-5174

To remediate CVE-2015-5174, upgrade the affected package to a fixed version below.

• —upgrade to 6.0.45-1~deb6u1 or later
• —upgrade to 7.0.28-4+deb7u4 or later
• —upgrade to 8.0.14-1+deb8u2 or later
• —upgrade to 8.0.27 or later

Is CVE-2015-5174 being exploited?

Low — EPSS is 4.5%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 6.0.45-1~deb6u1
• from 0, < 7.0.28-4+deb7u4
• from 0, < 8.0.14-1+deb8u2
• >= 8.0.0-RC1, < 8.0.27

CVSS scores

References (45)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-5174
• WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
• WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
• WEBlists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html