CVE-2002-1148 in Tomcat
Summary
by MITRE
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/08/2025
The vulnerability identified as CVE-2002-1148 represents a critical security flaw in the Apache Tomcat web server software that affects versions 4.0.4 and 4.1.10 and earlier. This issue resides within the default servlet implementation known as org.apache.catalina.servlets.DefaultServlet which serves as the primary handler for static content requests in the Tomcat container. The vulnerability stems from insufficient input validation and access control mechanisms that fail to properly restrict file access requests, allowing malicious actors to bypass normal security boundaries and directly access sensitive server files. This flaw directly violates fundamental security principles of least privilege and proper access control enforcement that are essential for protecting server resources from unauthorized access.
The technical exploitation of this vulnerability occurs when remote attackers construct specific HTTP requests that target the DefaultServlet directly rather than following normal application pathways. Through careful crafting of URL parameters and request patterns, attackers can manipulate the servlet to serve files from arbitrary locations on the server filesystem, including source code files, configuration files, and other sensitive data that should remain protected from public access. The vulnerability specifically enables attackers to retrieve server-side files that contain sensitive information such as database connection strings, application logic, and other proprietary code that could be used to further compromise the system or develop targeted attacks against the application infrastructure. This represents a classic case of improper access control where the servlet fails to validate user requests against appropriate authorization checks before serving content.
The operational impact of CVE-2002-1148 is severe and multifaceted, as it provides attackers with direct access to potentially sensitive server information that could lead to complete system compromise. When successful, this vulnerability allows attackers to extract source code files that may contain hardcoded credentials, database connection details, and application logic that significantly reduces the security posture of the affected system. The exposure of source code provides attackers with valuable intelligence for developing more sophisticated attacks, including potential exploitation of additional vulnerabilities within the application. From an industry standards perspective, this vulnerability maps directly to CWE-22 Improper Limitation of a Pathname to a Restricted Directory and CWE-73 Improper Control of File Name or Path, both of which are classified under the broader category of path traversal and access control weaknesses. The vulnerability also aligns with ATT&CK technique T1213.002 Access Data: Remote Data Staging, which describes methods for accessing and extracting data from remote systems.
Organizations affected by this vulnerability should immediately implement mitigations including upgrading to patched versions of Tomcat 4.1.11 or later, which contain the necessary security fixes to prevent unauthorized file access. Additionally, administrators should configure proper access controls and restrictions on the DefaultServlet to prevent direct access to sensitive server directories. Network-level protections such as firewalls and web application firewalls should be implemented to monitor and block suspicious requests that attempt to access server filesystem paths directly. The vulnerability highlights the critical importance of proper input validation and access control implementation in web applications, and serves as a reminder that even default servlet implementations can contain security flaws that require careful monitoring and timely patch management. Organizations should also conduct comprehensive security assessments to identify any other instances of similar path traversal vulnerabilities within their application infrastructure to prevent similar incidents from occurring in the future.