CVE-2015-5345 in Tomcat
Summary
by MITRE
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 07/08/2022
The vulnerability identified as CVE-2015-5345 represents a significant information disclosure issue within the Apache Tomcat web server software ecosystem. This flaw exists in the Mapper component responsible for handling URL mapping and redirection processes. The vulnerability affects multiple versions of Tomcat including 6.x prior to 6.0.45, 7.x prior to 7.0.68, 8.x prior to 8.0.30, and 9.x prior to 9.0.0.M2, indicating a widespread impact across the Tomcat product line. The core issue lies in the order of operations within the web server's request processing pipeline where redirects are handled before security constraints and filters are properly evaluated.
The technical nature of this vulnerability stems from improper sequence handling in the request processing flow. When a URL lacks a trailing slash character, the Mapper component attempts to process redirects before applying the necessary security checks that would normally occur through the Filter chain and security constraint mechanisms. This misordering creates an exploitable condition where remote attackers can craft specific URL requests to probe for directory existence without proper authorization. The vulnerability specifically leverages the absence of a trailing slash to bypass normal access control mechanisms that would typically be enforced through the security filter chain.
The operational impact of this vulnerability is substantial as it enables attackers to perform directory traversal reconnaissance without requiring authentication or specific privileges. An attacker can determine whether specific directories exist on the server by observing the server's response to URLs lacking trailing slashes. This information disclosure capability allows malicious actors to map the directory structure of web applications, potentially identifying sensitive directories, configuration files, or other resources that might be accessible through different access paths. The vulnerability essentially provides a passive reconnaissance mechanism that can be used to gather intelligence for more sophisticated attacks.
From a cybersecurity perspective, this vulnerability aligns with CWE-200, which addresses "Information Exposure," and demonstrates characteristics consistent with ATT&CK technique T1083, "File and Directory Discovery." The flaw represents a classic case of improper access control implementation where the security model fails to properly enforce access restrictions during the redirect processing phase. Organizations utilizing affected Tomcat versions face significant risk as this vulnerability can be exploited by remote attackers without any special privileges or authentication requirements, making it particularly dangerous in publicly accessible web environments.
The recommended mitigation strategy involves upgrading to the patched versions of Apache Tomcat as specified in the CVE advisory. Administrators should prioritize updating their Tomcat installations to versions 6.0.45, 7.0.68, 8.0.30, or 9.0.0.M2 respectively, depending on their current version. Additionally, organizations should implement network-level restrictions and monitoring to detect unusual patterns of directory probing attempts. While waiting for updates, temporary workarounds could include configuring URL rewriting rules to ensure consistent trailing slash handling, though this approach may not fully eliminate the vulnerability. Security teams should also conduct comprehensive vulnerability assessments to identify any other potentially affected systems and establish monitoring procedures to detect exploitation attempts.