CVE-2008-2370

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 4.1.0 through 4.1.37 Apache Tomcat versions 5.5.0 through 5.5.26 Apache Tomcat versions 6.0.0 through 6.0.16

Description: The issue allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter when a RequestDispatcher is used. This is due to path normalization being performed before removing the query string from the URI. A request that includes a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

Recommendations: For Apache Tomcat versions 4.1.0 through 4.1.37, consider disabling the RequestDispatcher until a patch is available to prevent directory traversal attacks. For Apache Tomcat versions 5.5.0 through 5.5.26, restrict access to sensitive content to minimize the risk of exploitation. For Apache Tomcat versions 6.0.0 through 6.0.16, avoid using specially crafted request parameters in the RequestDispatcher until the issue is resolved.