tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [CVE-2008-2370] Apache Tomcat information disclosure vulnerability
Date Fri, 01 Aug 2008 23:48:56 GMT
Mark Thomas wrote:
> Description:
> When using a RequestDispatcher the target path was normalised before the
> query string was removed. A request that included a specially crafted
> request parameter could be used to access content that would otherwise be
> protected by a security constraint or by locating it in under the WEB-INF
> directory.
> Mitigation:
> 6.0.x users should upgrade to 6.0.18

Stupid question, perhaps, but why weren't mitigations published with this
advisory?  In general we want people to simply adopt the current version,
but if they don't match the vulnerability conditions (or are willing to
configure themselves away from them), this should not disrupt the active

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message