CVE 2008-2938
Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
Related bugs and status
CVE-2008-2938 (Candidate) is related to these bugs:
Bug #112626: unable to install tomcat 5.5 on update ubuntu 7.04
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
112626 | unable to install tomcat 5.5 on update ubuntu 7.04 | tomcat5.5 (Ubuntu) | Low | Fix Released |
Bug #179447: Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
179447 | Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed | tomcat5.5 (Ubuntu) | Medium | Fix Released | ||
179447 | Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed | tomcat5.5 (Debian) | Unknown | Fix Released | ||
179447 | Installation of tomcat5.5 fails if openjdk-6 or a JRE is installed | tomcat5.5 (Ubuntu Hardy) | High | Fix Released |
Bug #212521: Installation fails even if openjdk-6-jdk is installed
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
212521 | Installation fails even if openjdk-6-jdk is installed | tomcat5.5 (Ubuntu) | Medium | Fix Released | ||
212521 | Installation fails even if openjdk-6-jdk is installed | tomcat5.5 (Debian) | Unknown | Fix Released | ||
212521 | Installation fails even if openjdk-6-jdk is installed | tomcat5.5 (Ubuntu Hardy) | Undecided | Fix Released |
Bug #256802: tomcat <6.0.18: Directory Traversal (CVE-2008-2938)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat6 (Ubuntu) | Undecided | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat5.5 (Ubuntu) | Low | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat6 (Gentoo Linux) | Critical | Invalid | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat5.5 (Debian) | Unknown | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat5.5 (Ubuntu Hardy) | Low | Fix Released | ||
256802 | tomcat <6.0.18: Directory Traversal (CVE-2008-2938) | tomcat6 (Ubuntu Hardy) | Undecided | Invalid |
Bug #256922: Information disclosure vulnerability (CVE-2008-2370)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat6 (Ubuntu) | Undecided | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat5.5 (Ubuntu) | Medium | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat5.5 (Debian) | Unknown | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat5.5 (Ubuntu Hardy) | Medium | Fix Released | ||
256922 | Information disclosure vulnerability (CVE-2008-2370) | tomcat6 (Ubuntu Hardy) | Undecided | Invalid |
Bug #256926: Cross-site scripting through sendError (CVE-2008-1232)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat6 (Ubuntu) | Undecided | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat5.5 (Ubuntu) | Low | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat5.5 (Debian) | Unknown | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat5.5 (Ubuntu Hardy) | Low | Fix Released | ||
256926 | Cross-site scripting through sendError (CVE-2008-1232) | tomcat6 (Ubuntu Hardy) | Undecided | Invalid |
Bug #260016: Update to Tomcat 6.0.18
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
260016 | Update to Tomcat 6.0.18 | tomcat6 (Ubuntu) | Wishlist | Fix Released |
Bug #270553: Cross-site scripting in host-manager webapp (CVE-2008-1947)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
270553 | Cross-site scripting in host-manager webapp (CVE-2008-1947) | tomcat5.5 (Ubuntu) | Low | Invalid | ||
270553 | Cross-site scripting in host-manager webapp (CVE-2008-1947) | tomcat5.5 (Ubuntu Hardy) | Low | Fix Released |
Bug #298043: Please merge tomcat5.5 5.5.26-5 (universe) from Debian unstable (main)
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
298043 | Please merge tomcat5.5 5.5.26-5 (universe) from Debian unstable (main) | tomcat5.5 (Ubuntu) | Wishlist | Fix Released |
Bug #298051: tomcat5.5 initscript "status" action always return 0
Summary | In | Importance | Status | |||
---|---|---|---|---|---|---|
298051 | tomcat5.5 initscript "status" action always return 0 | tomcat5.5 (Ubuntu) | Low | Fix Released |
See the
CVE page on Mitre.org
for more details.