CVE-2009-2902
medium
CVSS v3
—
CVSS v2
4.3
VIR risk
4.3
Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Apache Tomcat
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — http://secunia.com/advisories/38316
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| Maven | org.apache.tomcat:tomcat | >=5.5.0,<5.5.29 | 5.5.29 |
| Maven | org.apache.tomcat:tomcat | >=6.0.0,<6.0.24 | 6.0.24 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| apache | tomcat | 5.5.28 | |
| apache | tomcat | 6.0.11 | |
| apache | tomcat | 6.0.19 | |
| apache | tomcat | 6.0.20 | |
| apache | tomcat | 5.5.16 | |
| apache | tomcat | 6.0 | |
| apache | tomcat | 6.0.4 | |
| apache | tomcat | 5.5.14 | |
| apache | tomcat | 5.5.15 | |
| apache | tomcat | 5.5.20 | |
| apache | tomcat | 6.0.2 | |
| apache | tomcat | 6.0.3 | |
| apache | tomcat | 5.5.5 | |
| apache | tomcat | 5.5.9 | |
| apache | tomcat | 5.5.10 | |
| apache | tomcat | 5.5.22 | |
| apache | tomcat | 5.5.26 | |
| apache | tomcat | 6.0.8 | |
| apache | tomcat | 6.0.18 | |
| apache | tomcat | 5.5.0 | |
| apache | tomcat | 5.5.6 | |
| apache | tomcat | 5.5.7 | |
| apache | tomcat | 5.5.11 | |
| apache | tomcat | 5.5.12 | |
| apache | tomcat | 6.0.14 | |
| apache | tomcat | 6.0.15 | |
| apache | tomcat | 6.0.17 | |
| apache | tomcat | 5.5.27 | |
| apache | tomcat | 5.5.1 | |
| apache | tomcat | 5.5.2 | |
| apache | tomcat | 5.5.3 | |
| apache | tomcat | 5.5.4 | |
| apache | tomcat | 5.5.8 | |
| apache | tomcat | 5.5.18 | |
| apache | tomcat | 5.5.19 | |
| apache | tomcat | 6.0.7 | |
| apache | tomcat | 6.0.10 | |
| apache | tomcat | 6.0.16 | |
| apache | tomcat | 6.0.5 | |
| apache | tomcat | 5.5.17 | |
| apache | tomcat | 6.0.0 | |
| apache | tomcat | 6.0.1 | |
| apache | tomcat | 6.0.6 | |
| apache | tomcat | 6.0.12 | |
| apache | tomcat | 5.5.13 | |
| apache | tomcat | 5.5.21 | |
| apache | tomcat | 5.5.23 | |
| apache | tomcat | 5.5.24 | |
| apache | tomcat | 5.5.25 | |
| apache | tomcat | 6.0.9 | |
| apache | tomcat | 6.0.13 | |
References
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02241113
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
- http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html
- http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
- http://marc.info/?l=bugtraq&m=127420533226623&w=2
- http://marc.info/?l=bugtraq&m=133469267822771&w=2
- http://marc.info/?l=bugtraq&m=136485229118404&w=2
- http://marc.info/?l=bugtraq&m=139344343412337&w=2
- http://secunia.com/advisories/38316
- http://secunia.com/advisories/38346
- http://secunia.com/advisories/38541
- http://secunia.com/advisories/38687
- http://secunia.com/advisories/39317
- http://secunia.com/advisories/40330
- http://secunia.com/advisories/40813
- http://secunia.com/advisories/43310
- http://secunia.com/advisories/57126
- http://securitytracker.com/id?1023504
- http://support.apple.com/kb/HT4077
- http://svn.apache.org/viewvc?rev=892815&view=rev
- http://svn.apache.org/viewvc?rev=902650&view=rev
- http://tomcat.apache.org/security-5.html
- http://tomcat.apache.org/security-6.html
CWEs
CWE-22
Verify integrity in audit chain (admin only). AS-IS.