CVE-2009-2693

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.28 Apache Tomcat versions 6.0.0 through 6.0.20

Description The issue allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file. This can be demonstrated by including entries such as ../../bin/catalina.bat or ../../bin/catalina.sh in the WAR file, enabling an attacker to create arbitrary content outside of the web root.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.28, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 6.0.0 through 6.0.20, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the deployment of WAR files to trusted sources and validating the contents of WAR files for directory traversal attempts before deployment.