CVE-2001-0590 in Tomcat
Summary
by MITRE
Apache Software Foundation Tomcat Servlet prior to 3.2.2 allows a remote attacker to read the source code to arbitrary jsp files via a malformed URL request which does not end with an HTTP protocol specification (i.e. HTTP/1.0).
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/05/2025
The vulnerability identified as CVE-2001-0590 represents a critical information disclosure flaw in Apache Tomcat versions prior to 3.2.2 that affects the servlet container's handling of malformed HTTP requests. This vulnerability specifically targets the way Tomcat processes Uniform Resource Locator requests that do not properly conclude with the standard HTTP protocol specification. The flaw stems from inadequate input validation and request parsing mechanisms within the Tomcat servlet implementation, creating a pathway for remote attackers to exploit the system's file access controls.
The technical exploitation of this vulnerability occurs when an attacker crafts a malformed URL request that omits the proper HTTP protocol identifier such as HTTP/1.0 or HTTP/1.1. When Tomcat receives such a request, its processing logic fails to properly validate the request format, allowing the application to interpret the request as a direct file access attempt. This misconfiguration enables attackers to traverse the file system and retrieve the source code of arbitrary Java Server Pages files, effectively bypassing normal access controls and security boundaries. The vulnerability is categorized under CWE-200 as "Information Exposure" and specifically relates to improper input validation within web applications.
The operational impact of this vulnerability is severe as it provides attackers with unauthorized access to sensitive source code files that may contain database connection strings, application logic, business rules, and other confidential information. The exposure of JSP source code can lead to complete application compromise, as attackers gain insight into the internal workings of the web application and can identify additional vulnerabilities. This information disclosure can result in further exploitation opportunities including privilege escalation, data theft, and system compromise. The vulnerability affects the confidentiality and integrity aspects of the CIA triad, as it allows unauthorized data access and potentially enables more sophisticated attacks.
Mitigation strategies for CVE-2001-0590 require immediate patching of affected Tomcat installations to version 3.2.2 or later, which contains the necessary fixes for proper HTTP request validation. Organizations should implement proper input sanitization measures and ensure that all HTTP requests are properly validated before processing. Network segmentation and firewall rules can help limit access to Tomcat servers, while web application firewalls should be configured to detect and block malformed requests. Regular security assessments and code reviews should be conducted to identify similar input validation issues. The vulnerability aligns with ATT&CK technique T1068 which covers "Exploitation for Privilege Escalation" and T1566 which covers "Phishing with Malicious Attachments", as the information disclosure can facilitate further attack vectors. System administrators should also implement monitoring solutions to detect unusual file access patterns and malformed HTTP requests that could indicate exploitation attempts.