CVE-2015-5174
Description
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Risk Information
Base Score
4.3
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score
Exploitation Probability
2.751
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update Tomcat to 9.5.14 | Windows |
| Update Tomcat to 9.5.5 | Windows |
| Update Tomcat to 9.5.7 | Windows |
| Update Tomcat to 9.5.8 | Windows |
| Update Tomcat to 9.6.10 | Windows |
| Update Tomcat to 9.6.3 | Windows |
| Update Tomcat to 9.6.4 | Windows |
| Update Tomcat to 9.6.7 | Windows |
| Update Tomcat to 9.6.8 | Windows |
| Update Tomcat to 2.4.5 | Windows |
| Update Tomcat to 3.0.14 | Windows |
| Vulnerabilities CVE-2016-0706,CVE-2015-5345,CVE-2015-5174 are fixed in Apache - tomcat 6.0.45 | Windows |
| Vulnerabilities CVE-2015-5174 are fixed in Apache - tomcat 8.0.27 | Windows |
| Vulnerabilities CVE-2015-5174 are fixed in Apache - tomcat 7.0.65 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.1.0.3 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 6.0.3.4 | Windows |
| Servlet and JSP engine (USN-1637-1) libtomcat6-java_6.0.35-1ubuntu3.7_all.deb | Linux |
| Servlet and JSP engine (USN-2302-1) libtomcat7-java_7.0.52-1ubuntu0.6_all.deb | Linux |
| Tomcat7 7.0.68-1ubuntu0.1 for Ubuntu 16.04 LTS (x64) tomcat7_7.0.68-1ubuntu0.4_all.deb | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-admin-webapps-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-docs-webapp-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-el-2_2-api-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-javadoc-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-jsp-2_2-api-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-lib-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-servlet-3_0-api-7.0.68-7.6.1.noarch.rpm | Linux |
| SUSE-SU-2016:0822-1(SUSE Linux Enterprise Server 12 ) tomcat-webapps-7.0.68-7.6.1.noarch.rpm | Linux |
| Update Tomcat to 9.5.14 (For Linux) | Linux |
| Update Tomcat to 9.5.5 (For Linux) | Linux |
| Update Tomcat to 9.5.7 (For Linux) | Linux |
| Update Tomcat to 9.5.8 (For Linux) | Linux |
| Update Tomcat to 9.6.10 (For Linux) | Linux |
| Update Tomcat to 9.6.3 (For Linux) | Linux |
| Update Tomcat to 9.6.4 (For Linux) | Linux |
| Update Tomcat to 9.6.7 (For Linux) | Linux |
| Update Tomcat to 9.6.8 (For Linux) | Linux |
| Update Tomcat to 2.4.5 (For Linux) | Linux |
| Update Tomcat to 3.0.14 (For Linux) | Linux |
| Vulnerabilities CVE-2016-0706,CVE-2015-5345,CVE-2015-5174 are fixed in Apache - tomcat for Linux 6.0.45 | Linux |
| Vulnerabilities CVE-2015-5174 are fixed in Apache - tomcat for Linux 8.0.27 | Linux |
| Vulnerabilities CVE-2015-5174 are fixed in Apache - tomcat for Linux 7.0.65 | Linux |
| Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability (CVE-2015-5174) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234