7.8
CVSSv2

CVE-2005-4836

Published: 31/12/2005 Updated: 25/03/2019
CVSS v2 Base Score: 7.8 | Impact Score: 6.9 | Exploitability Score: 10
VMScore: 764
Vector: AV:N/AC:L/Au:N/C:C/I:N/A:N

Vulnerability Summary

The HTTP/1.1 connector in Apache Tomcat 4.1.15 up to and including 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote malicious users to read JSP source files and obtain sensitive information.

Affected Products

Vendor Product Versions
ApacheTomcat4.1.15, 4.1.16, 4.1.17, 4.1.18, 4.1.19, 4.1.20, 4.1.21, 4.1.22, 4.1.23, 4.1.24, 4.1.25, 4.1.26, 4.1.27, 4.1.28, 4.1.29, 4.1.30, 4.1.31, 4.1.32, 4.1.33, 4.1.34, 4.1.35, 4.1.36, 4.1.37, 4.1.39, 4.1.40