Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apache Tomcat 6.0.x < 6.0.45 / 7.0.x < 7.0.65 / 8.0.x < 8.0.27 Directory Traversal

Medium

Synopsis

The remote web server is missing an Apache Tomcat patch update.

Description

Apache Tomcat 6.0.x before 6.0.45, 7.0.x before 7.0.65 or 8.0.x before 8.0.27 is affected by a flaw that allows traversing outside of a restricted path. The issue is due to the 'getResource()', 'getResourceAsStream()', and 'getResourcePaths()' ServletContext methods not properly sanitizing user input, specifically path traversal style attacks (e.g. '../'). With a specially crafted request, a remote attacker can gain access to a directory listing.

Solution

Update to Apache Tomcat version 8.0.27 or later. If version 8.0.x cannot be obtained, versions 7.0.65 and 6.0.45 are also patched for these vulnerabilities.