CVE-2008-5515

CVE Descriptions

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V2	5		AV:N/AC:L/Au:N/C:P/I:N/A:N	nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Products Mentioned

Configuraton 0

Apache>>Tomcat >> Version 4.1.0

Apache>>Tomcat >> Version 4.1.1

Apache>>Tomcat >> Version 4.1.2

Apache>>Tomcat >> Version 4.1.3

Apache>>Tomcat >> Version 4.1.10

Apache>>Tomcat >> Version 4.1.11

Apache>>Tomcat >> Version 4.1.12

Apache>>Tomcat >> Version 4.1.13

Apache>>Tomcat >> Version 4.1.14

Apache>>Tomcat >> Version 4.1.15

Apache>>Tomcat >> Version 4.1.16

Apache>>Tomcat >> Version 4.1.17

Apache>>Tomcat >> Version 4.1.18

Apache>>Tomcat >> Version 4.1.19

Apache>>Tomcat >> Version 4.1.20

Apache>>Tomcat >> Version 4.1.21

Apache>>Tomcat >> Version 4.1.22

Apache>>Tomcat >> Version 4.1.23

Apache>>Tomcat >> Version 4.1.24

Apache>>Tomcat >> Version 4.1.25

Apache>>Tomcat >> Version 4.1.26

Apache>>Tomcat >> Version 4.1.27

Apache>>Tomcat >> Version 4.1.28

Apache>>Tomcat >> Version 4.1.29

Apache>>Tomcat >> Version 4.1.30

Apache>>Tomcat >> Version 4.1.31

Apache>>Tomcat >> Version 4.1.32

Apache>>Tomcat >> Version 4.1.33

Apache>>Tomcat >> Version 4.1.34

Apache>>Tomcat >> Version 4.1.35

Apache>>Tomcat >> Version 4.1.36

Apache>>Tomcat >> Version 4.1.37

Apache>>Tomcat >> Version 4.1.38

Apache>>Tomcat >> Version 4.1.39

Apache>>Tomcat >> Version 5.5.0

Apache>>Tomcat >> Version 5.5.1

Apache>>Tomcat >> Version 5.5.2

Apache>>Tomcat >> Version 5.5.3

Apache>>Tomcat >> Version 5.5.4

Apache>>Tomcat >> Version 5.5.5

Apache>>Tomcat >> Version 5.5.6

Apache>>Tomcat >> Version 5.5.7

Apache>>Tomcat >> Version 5.5.8

Apache>>Tomcat >> Version 5.5.9

Apache>>Tomcat >> Version 5.5.10

Apache>>Tomcat >> Version 5.5.11

Apache>>Tomcat >> Version 5.5.12

Apache>>Tomcat >> Version 5.5.13

Apache>>Tomcat >> Version 5.5.14

Apache>>Tomcat >> Version 5.5.15

Apache>>Tomcat >> Version 5.5.16

Apache>>Tomcat >> Version 5.5.17

Apache>>Tomcat >> Version 5.5.18

Apache>>Tomcat >> Version 5.5.19

Apache>>Tomcat >> Version 5.5.20

Apache>>Tomcat >> Version 5.5.21

Apache>>Tomcat >> Version 5.5.22

Apache>>Tomcat >> Version 5.5.23

Apache>>Tomcat >> Version 5.5.24

Apache>>Tomcat >> Version 5.5.25

Apache>>Tomcat >> Version 5.5.26

Apache>>Tomcat >> Version 5.5.27

Apache>>Tomcat >> Version 6.0

Apache>>Tomcat >> Version 6.0.0

Apache>>Tomcat >> Version 6.0.1

Apache>>Tomcat >> Version 6.0.2

Apache>>Tomcat >> Version 6.0.3

Apache>>Tomcat >> Version 6.0.4

Apache>>Tomcat >> Version 6.0.5

Apache>>Tomcat >> Version 6.0.6

Apache>>Tomcat >> Version 6.0.7

Apache>>Tomcat >> Version 6.0.9

Apache>>Tomcat >> Version 6.0.10

Apache>>Tomcat >> Version 6.0.12

Apache>>Tomcat >> Version 6.0.13

Apache>>Tomcat >> Version 6.0.14

Apache>>Tomcat >> Version 6.0.15

Apache>>Tomcat >> Version 6.0.16

Apache>>Tomcat >> Version 6.0.17

Apache>>Tomcat >> Version 6.0.18

References

http://tomcat.apache.org/security-4.html
Tags : x_refsource_CONFIRM

http://marc.info/?l=bugtraq&m=127420533226623&w=2
Tags : vendor-advisory, x_refsource_HP

http://secunia.com/advisories/39317
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
Tags : vendor-advisory, x_refsource_MANDRIVA

http://www.vupen.com/english/advisories/2009/1535
Tags : vdb-entry, x_refsource_VUPEN

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
Tags : vendor-advisory, x_refsource_FEDORA

http://www.debian.org/security/2011/dsa-2207
Tags : vendor-advisory, x_refsource_DEBIAN

http://jvn.jp/en/jp/JVN63832775/index.html
Tags : third-party-advisory, x_refsource_JVN

http://marc.info/?l=bugtraq&m=136485229118404&w=2
Tags : vendor-advisory, x_refsource_HP

http://secunia.com/advisories/37460
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2010/3056
Tags : vdb-entry, x_refsource_VUPEN

http://www.vmware.com/security/advisories/VMSA-2009-0016.html
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/35788
Tags : third-party-advisory, x_refsource_SECUNIA

http://marc.info/?l=bugtraq&m=127420533226623&w=2
Tags : vendor-advisory, x_refsource_HP

http://www.securityfocus.com/archive/1/504202/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
Tags : vendor-advisory, x_refsource_APPLE

http://www.securityfocus.com/bid/35263
Tags : vdb-entry, x_refsource_BID

http://www.vupen.com/english/advisories/2009/1520
Tags : vdb-entry, x_refsource_VUPEN

http://secunia.com/advisories/44183
Tags : third-party-advisory, x_refsource_SECUNIA

http://www.vupen.com/english/advisories/2009/1856
Tags : vdb-entry, x_refsource_VUPEN

http://www.securityfocus.com/archive/1/504170/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://www.mandriva.com/security/advisories?name=MDVSA-2010:176
Tags : vendor-advisory, x_refsource_MANDRIVA

http://www.securityfocus.com/archive/1/507985/100/0/threaded
Tags : mailing-list, x_refsource_BUGTRAQ

http://secunia.com/advisories/42368
Tags : third-party-advisory, x_refsource_SECUNIA

http://tomcat.apache.org/security-6.html
Tags : x_refsource_CONFIRM

http://secunia.com/advisories/35393
Tags : third-party-advisory, x_refsource_SECUNIA

http://support.apple.com/kb/HT4077
Tags : x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
Tags : vendor-advisory, x_refsource_SUSE

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
Tags : vendor-advisory, x_refsource_FEDORA

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445
Tags : vdb-entry, signature, x_refsource_OVAL

http://secunia.com/advisories/35685
Tags : third-party-advisory, x_refsource_SECUNIA

https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
Tags : vendor-advisory, x_refsource_FEDORA

http://tomcat.apache.org/security-5.html
Tags : x_refsource_CONFIRM

http://www.fujitsu.com/global/support/software/security/products-f/interstage-200902e.html
Tags : x_refsource_CONFIRM

http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
Tags : vendor-advisory, x_refsource_SUSE

http://marc.info/?l=bugtraq&m=129070310906557&w=2
Tags : vendor-advisory, x_refsource_HP

http://marc.info/?l=bugtraq&m=136485229118404&w=2
Tags : vendor-advisory, x_refsource_HP

http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
Tags : vendor-advisory, x_refsource_MANDRIVA

http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
Tags : vendor-advisory, x_refsource_SUNALERT

http://marc.info/?l=bugtraq&m=129070310906557&w=2
Tags : vendor-advisory, x_refsource_HP

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422
Tags : vdb-entry, signature, x_refsource_OVAL

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452
Tags : vdb-entry, signature, x_refsource_OVAL

http://www.vupen.com/english/advisories/2009/3316
Tags : vdb-entry, x_refsource_VUPEN

https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
Tags : mailing-list, x_refsource_MLIST

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	7.34%	–	–
2022-04-03	–	–	7.34%	–	–
2023-02-05	–	–	5.24%	–	–
2023-02-19	–	–	7.34%	–	–
2023-02-26	–	–	7.34%	–	–
2023-03-12	–	–	–	0.3%	–
2023-07-23	–	–	–	0.3%	–
2024-01-28	–	–	–	0.28%	–
2024-02-11	–	–	–	0.28%	–
2024-03-10	–	–	–	0.39%	–
2024-06-02	–	–	–	0.39%	–
2024-06-23	–	–	–	0.39%	–
2024-06-30	–	–	–	0.39%	–
2024-12-22	–	–	–	0.55%	–
2024-12-29	–	–	–	0.66%	–
2025-01-12	–	–	–	0.66%	–
2025-01-19	–	–	–	0.66%	–
2025-02-02	–	–	–	0.72%	–
2025-02-02	–	–	–	0.72%	–
2025-03-18	–	–	–	–	53.99%
2025-06-07	–	–	–	–	36.06%
2025-06-23	–	–	–	–	34.28%
2025-09-25	–	–	–	–	36.06%
2025-10-18	–	–	–	–	60.69%

Date	Percentile
2022-02-06	81%
2022-04-03	92%
2023-02-05	89%
2023-02-19	92%
2023-02-26	93%
2023-03-12	65%
2023-07-23	66%
2024-01-28	65%
2024-02-11	67%
2024-03-10	73%
2024-06-02	73%
2024-06-23	73%
2024-06-30	74%
2024-12-22	77%
2024-12-29	79%
2025-01-12	8%
2025-01-19	8%
2025-02-02	81%
2025-02-02	81%
2025-03-18	98%
2025-06-07	97%
2025-06-23	97%
2025-09-25	97%
2025-10-18	98%

CVE-2008-5515 : Detail