Apache Tomcat 7.0.x < 7.0.65 / 8.0.x < 8.0.27 Directory Traversal
Medium Nessus Plugin ID 121117
SynopsisThe remote Apache Tomcat server is affected by a directory traversal vulnerability.
DescriptionAccording to its self-reported version number, the Apache Tomcat instance listening on the remote host is 7.0.x prior to 7.0.65, or 8.0.x prior to 8.0.27. It is, therefore, affected by the following vulnerability:
- A directory traversal vulnerability exists in Tomcat when accessing resources via ServletContext methods using paths beginning with '/..'. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request, to obtain a directory listing for the directory in which the application was deployed.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Tomcat version 7.0.65 / 8.0.27 or later.