Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

BID:30494

Info

Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

Bugtraq ID: 30494
Class: Input Validation Error
CVE: CVE-2008-2370
Remote: Yes
Local: No
Published: Aug 01 2008 12:00AM
Updated: May 07 2015 05:17PM
Credit: Stefano Di Paola of Minded Security Research Labs
Vulnerable: WiKID Systems WiKID Server 3.0.4
VMWare VirtualCenter 2.0.2
VMWare VirtualCenter 2.5.Update 3 build 1
VMWare VirtualCenter 2.5 Update 5
VMWare VirtualCenter 2.5 Update 2
VMWare VirtualCenter 2.5 Update 1
VMWare VirtualCenter 2.5
VMWare VirtualCenter 2.0.2 Update 5
VMWare VirtualCenter 2.0.2 Update 4
VMWare VirtualCenter 2.0.2 Update 3
VMWare VirtualCenter 2.0.2 Update 2
VMWare VirtualCenter 2.0.2 Update 1
VMWare vCenter 4.0
VMWare Server 2.0.2
VMWare Server 2.0.1
VMWare Server 2.0
VMWare ESX Server 3.0.3
VMWare ESX Server 3.0.2
VMWare ESX Server 3.0.1
VMWare ESX Server 3.0
VMWare ESX Server 4.0
VMWare ESX Server 3.5
SuSE SUSE Linux Enterprise Server 10 SP2
Sun Solaris 9_x86
Sun Solaris 9_sparc
Sun Solaris 10_x86
Sun Solaris 10_sparc
Sun OpenSolaris build snv_99
Sun OpenSolaris build snv_96
Sun OpenSolaris build snv_95
Sun OpenSolaris build snv_92
Sun OpenSolaris build snv_91
Sun OpenSolaris build snv_90
Sun OpenSolaris build snv_89
Sun OpenSolaris build snv_88
Sun OpenSolaris build snv_87
Sun OpenSolaris build snv_86
Sun OpenSolaris build snv_85
Sun OpenSolaris build snv_84
Sun OpenSolaris build snv_83
Sun OpenSolaris build snv_82
Sun OpenSolaris build snv_81
Sun OpenSolaris build snv_80
Sun OpenSolaris build snv_78
Sun OpenSolaris build snv_77
Sun OpenSolaris build snv_76
Sun OpenSolaris build snv_68
Sun OpenSolaris build snv_67
Sun OpenSolaris build snv_64
Sun OpenSolaris build snv_61
Sun OpenSolaris build snv_59
Sun OpenSolaris build snv_57
Sun OpenSolaris build snv_50
Sun OpenSolaris build snv_39
Sun OpenSolaris build snv_36
Sun OpenSolaris build snv_29
Sun OpenSolaris build snv_22
Sun OpenSolaris build snv_19
Sun OpenSolaris build snv_13
Sun OpenSolaris build snv_100
S.u.S.E. openSUSE 11.0
S.u.S.E. openSUSE 10.3
S.u.S.E. openSUSE 10.2
Redhat Red Hat Network Satellite Server 5.0.1
Redhat Red Hat Network Satellite Server 5.0
Redhat Red Hat Network Satellite (for RHEL 4) 5.1
Redhat JBoss Enterprise Application Platform 4.2 EL5
Redhat JBoss Enterprise Application Platform 4.2 EL4
Redhat JBoss Enterprise Application Platform 4.2 .CP03
Redhat JBoss Enterprise Application Platform 4.2
Redhat Enterprise Linux Desktop Workstation 5 client
Redhat Enterprise Linux Desktop 5 client
Redhat Enterprise Linux 5 Server
Redhat Developer Suite AS4 3
Redhat Certificate Server 7.3
Redhat Application Server WS4 2
Redhat Application Server ES4 2
Redhat Application Server AS4 2
Pardus Linux 2008 0
Novell ZENworks Linux Management 7.3
Mandriva Linux Mandrake 2008.1 x86_64
Mandriva Linux Mandrake 2008.1
Mandriva Linux Mandrake 2008.0 x86_64
Mandriva Linux Mandrake 2008.0
HP XP P9000 Performance Advisor 5.4.1
HP HP-UX B.11.31
HP HP-UX B.11.11
Fujitsu INTERSTAGE Studio Standard-J Edition 9.0
Fujitsu INTERSTAGE Studio Standard-J Edition 8.0.1
Fujitsu INTERSTAGE Studio Enterprise Edition 9.0
Fujitsu INTERSTAGE Studio Enterprise Edition 8.0.1
Fujitsu INTERSTAGE Business Application Server Enterprise 8.0.0
Fujitsu INTERSTAGE Apworks Modelers-J Edition 7.0
Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0A
Fujitsu INTERSTAGE Apworks Modelers-J Edition 6.0
Fujitsu INTERSTAGE Application Server Standard-J Edition 9.1
Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0 A
Fujitsu INTERSTAGE Application Server Standard-J Edition 9.0
Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0.2
Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0.1
Fujitsu INTERSTAGE Application Server Standard-J Edition 8.0
Fujitsu INTERSTAGE Application Server Plus Developer 7.0
Fujitsu INTERSTAGE Application Server Plus Developer 6.0
Fujitsu Interstage Application Server Plus 7.0.1
Fujitsu Interstage Application Server Plus 7.0
Fujitsu Interstage Application Server Plus 6.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 9.1
Fujitsu INTERSTAGE Application Server Enterprise Edition 9.0 A
Fujitsu INTERSTAGE Application Server Enterprise Edition 9.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0.2
Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0.1
Fujitsu INTERSTAGE Application Server Enterprise Edition 8.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0.1
Fujitsu INTERSTAGE Application Server Enterprise Edition 7.0
Fujitsu INTERSTAGE Application Server Enterprise Edition 6.0
Avaya Meeting Exchange - Enterprise Edition
Avaya Meeting Exchange 5.0 .0.52
Avaya Meeting Exchange 5.0
Avaya Aura Application Enablement Services 4.2.1
Avaya Aura Application Enablement Services 4.0.1
Avaya Aura Application Enablement Services 3.1.6
Avaya Aura Application Enablement Services 3.1.5
Avaya Aura Application Enablement Services 3.1.4
Avaya Aura Application Enablement Services 3.1.3
Avaya Aura Application Enablement Services 4.2
Avaya Aura Application Enablement Services 4.1
Avaya Aura Application Enablement Services 4.0
Avaya Aura Application Enablement Services 3.1
Avaya Aura Application Enablement Services 3.0
Apple Mac OS X Server 10.5.5
Apache Tomcat 6.0.16
Apache Tomcat 6.0.15
Apache Tomcat 6.0.14
Apache Tomcat 6.0.13
Apache Tomcat 6.0.12
Apache Tomcat 6.0.11
Apache Tomcat 6.0.10
Apache Tomcat 6.0.9
Apache Tomcat 6.0.8
Apache Tomcat 6.0.7
Apache Tomcat 6.0.6
Apache Tomcat 6.0.5
Apache Tomcat 6.0.4
Apache Tomcat 6.0.3
Apache Tomcat 6.0.2
Apache Tomcat 6.0.1
Apache Tomcat 6.0
Apache Tomcat 5.5.26
Apache Tomcat 5.5.25
Apache Tomcat 5.5.24
Apache Tomcat 5.5.23
Apache Tomcat 5.5.22
Apache Tomcat 5.5.21
Apache Tomcat 5.5.20
Apache Tomcat 5.5.19
Apache Tomcat 5.5.18
Apache Tomcat 5.5.17
Apache Tomcat 5.5.16
Apache Tomcat 5.5.15
Apache Tomcat 5.5.14
Apache Tomcat 5.5.13
Apache Tomcat 5.5.12
Apache Tomcat 5.5.11
Apache Tomcat 5.5.10
Apache Tomcat 5.5.9
Apache Tomcat 5.5.8
Apache Tomcat 5.5.7
Apache Tomcat 5.5.6
Apache Tomcat 5.5.5
Apache Tomcat 5.5.4
Apache Tomcat 5.5.3
Apache Tomcat 5.5.2
Apache Tomcat 5.5.1
Apache Tomcat 5.5
Apache Tomcat 4.1.37
Apache Tomcat 4.1.36
Apache Tomcat 4.1.34
Apache Tomcat 4.1.32
Apache Tomcat 4.1.31
Apache Tomcat 4.1.30
Apache Tomcat 4.1.29
Apache Tomcat 4.1.28
Apache Tomcat 4.1.24
Apache Tomcat 4.1.12
Apache Tomcat 4.1.10
Apache Tomcat 4.1.9 beta
Apache Tomcat 4.1.3 beta
Apache Tomcat 4.1.3
Apache Tomcat 4.1
- BSDI BSD/OS 4.0
- Caldera OpenLinux 2.4
- Debian Linux 2.3
- Debian Linux 2.2
- Debian Linux 2.1
- Digital UNIX 4.0
- FreeBSD FreeBSD 5.0
- FreeBSD FreeBSD 4.5
- Mandriva Linux Mandrake 7.1
- Mandriva Linux Mandrake 7.0
- NetBSD NetBSD 1.4.2 x86
 - NetBSD NetBSD 1.4.1 x86
 - Redhat Linux 6.2 i386
 - Redhat Linux 6.1 i386
 - SGI IRIX 6.5
- SGI IRIX 6.4
- SGI IRIX 3.3
- Sun Solaris 8_sparc
 - Sun Solaris 7.0
 Apache ODE 1.3.2
Apache ODE 1.0
Not Vulnerable: WiKID Systems WiKID Server 3.0.5
VMWare VirtualCenter 2.5 Update 6
VMWare vCenter 4.0 Update 1
Sun OpenSolaris build snv_101
Redhat JBoss Enterprise Application Platform 4.2 .CP04
HP XP P9000 Performance Advisor 5.5.1
Apache Tomcat 6.0.18
Apache Tomcat 5.5.27
Apache Tomcat 4.1.38
Apache ODE 1.3.3

Discussion

Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

Apache Tomcat is prone to a remote information-disclosure vulnerability.

Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server. Information obtained may lead to further attacks.

The following versions are affected:

Tomcat 4.1.0 through 4.1.37
Tomcat 5.5.0 through 5.5.26
Tomcat 6.0.0 through 6.0.16

Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.

Exploit / POC

Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

An attacker can exploit this issue through a browser.

The following proof-of-concept URI is available:

http://www.example.com/page.jsp?blah=/../WEB-INF/web.xml

Solution / Fix

Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

Solution:
Updates are available. Please see the references for more information.


Mandriva Linux Mandrake 2008.0

VMWare ESX Server 4.0

Apple Mac OS X Server 10.5.5

Apache Tomcat 6.0.15

Apache Tomcat 6.0.16

Apache Tomcat 6.0.5

Apache Tomcat 6.0.7

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report