PT-2002-2730 · Apache · Apache Tomcat
Publicado
2002-12-31
·
Atualizado
2022-04-30
·
CVE-2002-2009
CVSS v4.0
6.9
Média
| Vetor | AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat version 4.0.1
Description
The issue allows remote attackers to obtain the web root path via specific HTTP requests for JSP files. This can be achieved by preceding the JSP file name with certain characters, such as
+/, >/, </, or %20/, which results in an error message that leaks the pathname. Additionally, requests for JSP files with long file names can also lead to the disclosure of the full file system path to the JSP file.Recommendations
For Apache Tomcat version 4.0.1, consider restricting access to JSP files to minimize the risk of path disclosure until a patch is available. As a temporary workaround, avoid using JSP file names that are preceded by vulnerable characters or are excessively long.
Exploit
Correção
Generation of Error Message Containing Sensitive Information
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Apache Tomcat