J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1454
    posted: 06/29/09
  • NSM Daily Update #1454
    posted: 06/29/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1454
    posted: 06/29/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 06/29/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 06/28/09

Title: Apache Tomcat 'RequestDispatcher' Information Disclosure Vulnerability

Severity: MODERATE

Description:

Apache Tomcat is a Java-based webserver application for multiple operating systems.

Tomcat is prone to a remote information-disclosure because it fails to sufficiently sanitize user-supplied input. Specifically, when using the HTTP 'RequestDispatcher', the target path is normalized before removing the query string.

An attacker can exploit this issue by constructing a malicious URI request designed to trigger this issue.

Successfully exploiting this issue will allow attackers to obtain sensitive information that may lead to further attacks.

The following versions are affected:

Tomcat 4.1.0 through 4.1.37
Tomcat 5.5.0 through 5.5.26
Tomcat 6.0.0 through 6.0.16

Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.

Affected Products:

  • Apache Software Foundation Tomcat 4.1.0
  • Apache Software Foundation Tomcat 4.1.0
  • Apache Software Foundation Tomcat 4.1.10
  • Apache Software Foundation Tomcat 4.1.12
  • Apache Software Foundation Tomcat 4.1.24
  • Apache Software Foundation Tomcat 4.1.28
  • Apache Software Foundation Tomcat 4.1.29
  • Apache Software Foundation Tomcat 4.1.3
  • Apache Software Foundation Tomcat 4.1.3 beta
  • Apache Software Foundation Tomcat 4.1.30
  • Apache Software Foundation Tomcat 4.1.31
  • Apache Software Foundation Tomcat 4.1.32
  • Apache Software Foundation Tomcat 4.1.34
  • Apache Software Foundation Tomcat 4.1.34
  • Apache Software Foundation Tomcat 4.1.36
  • Apache Software Foundation Tomcat 4.1.36
  • Apache Software Foundation Tomcat 4.1.37
  • Apache Software Foundation Tomcat 4.1.9 beta
  • Apache Software Foundation Tomcat 5.5.0
  • Apache Software Foundation Tomcat 5.5.1
  • Apache Software Foundation Tomcat 5.5.1
  • Apache Software Foundation Tomcat 5.5.10
  • Apache Software Foundation Tomcat 5.5.11
  • Apache Software Foundation Tomcat 5.5.11
  • Apache Software Foundation Tomcat 5.5.12
  • Apache Software Foundation Tomcat 5.5.13
  • Apache Software Foundation Tomcat 5.5.14
  • Apache Software Foundation Tomcat 5.5.15
  • Apache Software Foundation Tomcat 5.5.16
  • Apache Software Foundation Tomcat 5.5.17
  • Apache Software Foundation Tomcat 5.5.17
  • Apache Software Foundation Tomcat 5.5.18
  • Apache Software Foundation Tomcat 5.5.19
  • Apache Software Foundation Tomcat 5.5.2
  • Apache Software Foundation Tomcat 5.5.20
  • Apache Software Foundation Tomcat 5.5.21
  • Apache Software Foundation Tomcat 5.5.22
  • Apache Software Foundation Tomcat 5.5.23
  • Apache Software Foundation Tomcat 5.5.24
  • Apache Software Foundation Tomcat 5.5.25
  • Apache Software Foundation Tomcat 5.5.26
  • Apache Software Foundation Tomcat 5.5.3
  • Apache Software Foundation Tomcat 5.5.4
  • Apache Software Foundation Tomcat 5.5.5
  • Apache Software Foundation Tomcat 5.5.6
  • Apache Software Foundation Tomcat 5.5.7
  • Apache Software Foundation Tomcat 5.5.7
  • Apache Software Foundation Tomcat 5.5.8
  • Apache Software Foundation Tomcat 5.5.8
  • Apache Software Foundation Tomcat 5.5.9
  • Apache Software Foundation Tomcat 6.0.0
  • Apache Software Foundation Tomcat 6.0.1
  • Apache Software Foundation Tomcat 6.0.10
  • Apache Software Foundation Tomcat 6.0.11
  • Apache Software Foundation Tomcat 6.0.12
  • Apache Software Foundation Tomcat 6.0.13
  • Apache Software Foundation Tomcat 6.0.14
  • Apache Software Foundation Tomcat 6.0.15
  • Apache Software Foundation Tomcat 6.0.16
  • Apache Software Foundation Tomcat 6.0.2
  • Apache Software Foundation Tomcat 6.0.3
  • Apache Software Foundation Tomcat 6.0.4
  • Apache Software Foundation Tomcat 6.0.5
  • Apache Software Foundation Tomcat 6.0.6
  • Apache Software Foundation Tomcat 6.0.7
  • Apache Software Foundation Tomcat 6.0.8
  • Apache Software Foundation Tomcat 6.0.9
  • Apple Mac OS X Server 10.5.5
  • Avaya AES 3.0
  • Avaya AES 3.1
  • Avaya AES 3.1.3
  • Avaya AES 3.1.4
  • Avaya AES 3.1.5
  • Avaya AES 3.1.6
  • Avaya AES 4.0
  • Avaya AES 4.0.1
  • Avaya AES 4.1
  • Avaya AES 4.2
  • Avaya AES 4.2.1
  • Avaya Meeting Exchange - Enterprise Edition
  • Avaya Meeting Exchange 5.0
  • Avaya Meeting Exchange 5.0.0.0.52
  • Gentoo Linux 1.2.0
  • Gentoo Linux 1.4.0 _rc1
  • Gentoo Linux 1.4.0 _rc2
  • Gentoo Linux 1.4.0 _rc3
  • HP HP-UX B.11.11
  • HP HP-UX B.11.23
  • HP HP-UX B.11.31
  • MandrakeSoft Linux Mandrake 2008.0
  • MandrakeSoft Linux Mandrake 2008.0 x86_64
  • MandrakeSoft Linux Mandrake 2008.1
  • MandrakeSoft Linux Mandrake 2008.1 x86_64
  • Pardus Linux 2008
  • RedHat Application Server AS4 2
  • RedHat Application Server ES4 2
  • RedHat Application Server WS4 2
  • RedHat Developer Suite AS4 3
  • RedHat Enterprise Linux 5 server
  • RedHat Enterprise Linux Desktop 5 client
  • RedHat Enterprise Linux Desktop Workstation 5 client
  • RedHat Fedora 8
  • RedHat Fedora 9
  • RedHat JBoss Enterprise Application Platform 4.2.0
  • RedHat JBoss Enterprise Application Platform 4.2.0 EL4
  • RedHat JBoss Enterprise Application Platform 4.2.0 EL5
  • RedHat JBoss Enterprise Application Platform 4.2.0.CP03
  • RedHat Red Hat Network Satellite (for RHEL 4) 5.1
  • RedHat Red Hat Network Satellite Server 5.0.0
  • RedHat Red Hat Network Satellite Server 5.0.1
  • S.u.S.E. SUSE Linux Enterprise Server 10 SP2
  • S.u.S.E. openSUSE 10.2
  • S.u.S.E. openSUSE 10.3
  • S.u.S.E. openSUSE 11.0
  • Sun OpenSolaris build snv_100
  • Sun OpenSolaris build snv_13
  • Sun OpenSolaris build snv_19
  • Sun OpenSolaris build snv_22
  • Sun OpenSolaris build snv_29
  • Sun OpenSolaris build snv_36
  • Sun OpenSolaris build snv_39
  • Sun OpenSolaris build snv_50
  • Sun OpenSolaris build snv_57
  • Sun OpenSolaris build snv_59
  • Sun OpenSolaris build snv_61
  • Sun OpenSolaris build snv_64
  • Sun OpenSolaris build snv_67
  • Sun OpenSolaris build snv_68
  • Sun OpenSolaris build snv_76
  • Sun OpenSolaris build snv_77
  • Sun OpenSolaris build snv_78
  • Sun OpenSolaris build snv_80
  • Sun OpenSolaris build snv_81
  • Sun OpenSolaris build snv_82
  • Sun OpenSolaris build snv_83
  • Sun OpenSolaris build snv_84
  • Sun OpenSolaris build snv_85
  • Sun OpenSolaris build snv_86
  • Sun OpenSolaris build snv_87
  • Sun OpenSolaris build snv_88
  • Sun OpenSolaris build snv_89
  • Sun OpenSolaris build snv_90
  • Sun OpenSolaris build snv_91
  • Sun OpenSolaris build snv_92
  • Sun OpenSolaris build snv_95
  • Sun OpenSolaris build snv_96
  • Sun OpenSolaris build snv_99
  • Sun Solaris 10.0
  • Sun Solaris 10.0_x86
  • Sun Solaris 9
  • Sun Solaris 9_x86
  • VMWare ESX Server 3.0.2
  • VMWare ESX Server 3.0.3
  • VMWare ESX Server 3.5
  • VMWare VirtualCenter 2.0.2
  • VMWare VirtualCenter 2.5
  • VMWare VirtualCenter 2.5 Update 1
  • VMWare VirtualCenter 2.5 Update 2
  • VMWare VirtualCenter 2.5.Update 3 build 11983
  • VMWare VirtualCenter 2.5.Update 3 build 11983
  • WiKID Systems WiKID Server 3.0.4

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.