CVE-2009-2902

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.0 through 5.5.28 Apache Tomcat versions 6.0.0 through 6.0.20

Description The issue allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename. When deploying WAR files, the WAR file names were not checked for directory traversal attempts, which can cause problems for currently running applications. For example, deploying and undeploying a WAR file with a specially crafted filename, such as ../war, allows an attacker to cause the deletion of the current contents of the host's work directory.

Recommendations For Apache Tomcat versions 5.5.0 through 5.5.28, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 6.0.0 through 6.0.20, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider restricting the deployment of WAR files to trusted sources and validating WAR filenames to prevent directory traversal attempts.