CVE-2015-5174

4.3 MEDIUM

Published: February 25, 2016 Modified: May 06, 2026

Description

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=145974991225029&w=2

Source: secalert@redhat.com

http://packetstormsecurity.com/files/135883/Apache-Tomcat-Limited-Directory-Traversal.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-1435.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2045.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2016-2599.html

Source: secalert@redhat.com

http://seclists.org/bugtraq/2016/Feb/149

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1696281

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1696284

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1700897

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1700898

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1700900

Source: secalert@redhat.com

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-8.html

Source: secalert@redhat.com

Vendor Advisory

http://www.debian.org/security/2016/dsa-3530

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3552

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3609

Source: secalert@redhat.com

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Source: secalert@redhat.com

http://www.securityfocus.com/bid/83329

Source: secalert@redhat.com

http://www.securitytracker.com/id/1035070

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-3024-1

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2016:1432

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2016:1433

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2016:1434

Source: secalert@redhat.com

https://bto.bluecoat.com/security-advisory/sa118

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

Source: secalert@redhat.com

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

Source: secalert@redhat.com

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2%40%3Cusers.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85%40%3Cusers.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e%40%3Cusers.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4%40%3Cusers.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350%40%3Cusers.tomcat.apache.org%3E

Source: secalert@redhat.com

https://security.gentoo.org/glsa/201705-09

Source: secalert@redhat.com

https://security.netapp.com/advisory/ntap-20180531-0001/

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html