A vulnerability, which was classified as problematic, was found in Apache Tomcat (Application Server Software) (unknown version). Affected is an unknown code block of the component WebDAV. The manipulation with an unknown input leads to a path traversal vulnerability (Stored). CWE is classifying the issue as CWE-22. The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. This is going to have an impact on confidentiality. CVE summarizes:

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

The weakness was shared 10/25/2007 by eliteb0y (Website). The advisory is available at exploit-db.com. This vulnerability is traded as CVE-2007-5461 since 10/15/2007. It is possible to launch the attack remotely. The requirement for exploitation is a authentication. Technical details are unknown but a public exploit is available. This vulnerability is assigned to T1006 by the MITRE ATT&CK project.

A public exploit has been developed by eliteboy and been published before and not just after the advisory. The exploit is shared for download at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 1 days. During that time the estimated underground price was around $5k-$25k. The vulnerability scanner Nessus provides a plugin with the ID 39485 (Mandriva Linux Security Advisory : tomcat5 (MDVSA-2009:136)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Mandriva Local Security Checks and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 11889 (TripWire Enterprise Console Prior to version 8.6.0 Multiple Vulnerabilities.).

Applying a patch is able to eliminate this problem. The bugfix is ready for download at tomcat.apache.org. A possible mitigation has been published 2 years after the disclosure of the vulnerability. Attack attempts may be identified with Snort ID 12711. In this case the pattern is used for detection. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 5988.

The vulnerability is also documented in the databases at X-Force (37243), Exploit-DB (4530), Tenable (39485), SecurityFocus (BID 26070†) and OSVDB (38187†). The entries VDB-10130, VDB-18549, VDB-24854 and VDB-27834 are related to this item. VulDB is the best source for vulnerability data and more expert information about this specific topic.

Productinfo

Type

• Application Server Software

Vendor

• Apache

Name

• Tomcat

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info