TUCoPS :: Web :: Apache :: va1210.htm

Apache Tomcat information disclosure vulnerability - Updated
CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Updated
CVE-2008-2938 - Apache Tomcat information disclosure vulnerability - Updated



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated

Severity: Important (was moderate)

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description (new information):
Further investigation of CVE-2008-2938 has shown that the vulnerability
also exists only with URIEncoding="UTF-8" set on the connector. In these
configurations arbitrary files in the docBase for an application,
including files such as web.xml, may be disclosed.
Users should also be aware that this vulnerability will apply when
processing requests with UTF-8 body encoding and
useBodyEncodingForURI="true"

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should obtain the latest source from svn or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=681065 

Example:
http://www.target.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml 

Credit:
This additional information was discovered by the Apache Tomcat security
team.

References:
http://tomcat.apache.org/security.html 

Mark Thomas


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 

iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8
CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ
=Fi0E
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH