CVE ID:	CVE-2008-5515
Description:	Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
Test IDs:	1.3.6.1.4.1.25623.1.0.122466
Cross References:	Common Vulnerability Exposure (CVE) ID: CVE-2008-5515 20090608 [SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability http://www.securityfocus.com/archive/1/504170/100/0/threaded 20090610 [SECURITY] UPDATED CVE-2008-5515 RequestDispatcher directory traversal vulnerability http://www.securityfocus.com/archive/1/504202/100/0/threaded 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components http://www.securityfocus.com/archive/1/507985/100/0/threaded 263529 http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1 35263 http://www.securityfocus.com/bid/35263 35393 http://secunia.com/advisories/35393 35685 http://secunia.com/advisories/35685 35788 http://secunia.com/advisories/35788 37460 http://secunia.com/advisories/37460 39317 http://secunia.com/advisories/39317 42368 http://secunia.com/advisories/42368 44183 http://secunia.com/advisories/44183 ADV-2009-1520 http://www.vupen.com/english/advisories/2009/1520 ADV-2009-1535 http://www.vupen.com/english/advisories/2009/1535 ADV-2009-1856 http://www.vupen.com/english/advisories/2009/1856 ADV-2009-3316 http://www.vupen.com/english/advisories/2009/3316 ADV-2010-3056 http://www.vupen.com/english/advisories/2010/3056 APPLE-SA-2010-03-29-1 http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html DSA-2207 http://www.debian.org/security/2011/dsa-2207 FEDORA-2009-11352 https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html FEDORA-2009-11356 https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html FEDORA-2009-11374 https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html HPSBMA02535 http://marc.info/?l=bugtraq&m=127420533226623&w=2 HPSBUX02579 http://marc.info/?l=bugtraq&m=129070310906557&w=2 HPSBUX02860 http://marc.info/?l=bugtraq&m=136485229118404&w=2 JVN#63832775 http://jvn.jp/en/jp/JVN63832775/index.html MDVSA-2009:136 http://www.mandriva.com/security/advisories?name=MDVSA-2009:136 MDVSA-2009:138 http://www.mandriva.com/security/advisories?name=MDVSA-2009:138 MDVSA-2010:176 http://www.mandriva.com/security/advisories?name=MDVSA-2010:176 SSRT100029 http://marc.info/?l=bugtraq&m=127420533226623&w=2 SSRT100203 http://marc.info/?l=bugtraq&m=129070310906557&w=2 SSRT101146 http://marc.info/?l=bugtraq&m=136485229118404&w=2 SUSE-SR:2009:012 http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html SUSE-SR:2010:008 http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190319 svn commit: r1855831 [22/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [20/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200203 svn commit: r1873527 [22/30] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200213 svn commit: r1873980 [25/34] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E http://support.apple.com/kb/HT4077 http://support.apple.com/kb/HT4077 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-6.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html http://www.vmware.com/security/advisories/VMSA-2009-0016.html http://www.vmware.com/security/advisories/VMSA-2009-0016.html oval:org.mitre.oval:def:10422 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422 oval:org.mitre.oval:def:19452 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452 oval:org.mitre.oval:def:6445 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445