Home > Vulnerability Database > CVE-2015-5345

Mend.io Vulnerability Database

New vulnerability? Tell us about it!

CVE-2015-5345

Good to know:

Date: February 24, 2016

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

Language: Java

Severity Score

5.3

Related Resources (76)

Url: http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Url: http://rhn.redhat.com/errata/RHSA-2016-2599.html

Url: http://marc.info/?l=bugtraq&m=145974991225029&w=2

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00082.html

Url: http://www.qcsec.com/blog/CVE-2015-5345-apache-tomcat-vulnerability.html

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

Url: https://github.com/apache/tomcat/commit/89cd0cf33a99dbbcf5c69050a83b6876e39269d7

Url: http://svn.apache.org/viewvc?view=revision&revision=1717216

Url: http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

Url: https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E

Url: https://github.com/apache/tomcat

Url: http://tomcat.apache.org/security-8.html

Url: https://github.com/apache/tomcat/commit/a273b5f45cb46a273d06510a689fc314155a952d

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

Url: http://svn.apache.org/viewvc?view=revision&revision=1716882

Url: http://svn.apache.org/viewvc?view=revision&revision=1717212

Url: http://rhn.redhat.com/errata/RHSA-2016-2045.html

Url: https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E

Url: http://svn.apache.org/viewvc?view=revision&revision=1715207

Url: https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E

Url: http://svn.apache.org/viewvc?view=revision&revision=1715206

Url: https://access.redhat.com/security/cve/CVE-2015-5345

Url: http://tomcat.apache.org/security-7.html

Url: http://svn.apache.org/viewvc?view=revision&revision=1716894

Url: https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Url: http://www.debian.org/security/2016/dsa-3530

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

Url: https://web.archive.org/web/20160804024910/http://www.securityfocus.com/bid/83328

Url: https://bz.apache.org/bugzilla/show_bug.cgi?id=58765

Url: https://nvd.nist.gov/vuln/detail/CVE-2015-5345

Url: http://www.securityfocus.com/bid/83328

Url: https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E

Url: http://www.securitytracker.com/id/1035071

Url: https://github.com/apache/tomcat80/commit/2b643a4e36d318d55ec57fee57610671656d23c0

Url: https://github.com/apache/tomcat/commit/66daa4adc14b3e939659879153c0a579fdfcb099

Url: http://svn.apache.org/viewvc?view=revision&revision=1715216

Url: https://kc.mcafee.com/corporate/index?page=content&id=SB10156

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

Url: http://svn.apache.org/viewvc?view=revision&revision=1715213

Url: http://www.debian.org/security/2016/dsa-3609

Url: https://security.netapp.com/advisory/ntap-20180531-0001

Url: http://packetstormsecurity.com/files/135892/Apache-Tomcat-Directory-Disclosure.html

Url: https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

Url: https://github.com/apache/tomcat80/commit/c15c2aba8eb42425f9ebcfcaef579dada38ad3a2

Url: https://github.com/apache/tomcat/commit/8437193708e4bf6b2861a7953dc472f9dad49111

Url: https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Url: http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

Url: https://bto.bluecoat.com/security-advisory/sa118

Url: http://www.ubuntu.com/usn/USN-3024-1

Url: https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2016:1088

Url: https://security.netapp.com/advisory/ntap-20180531-0001/

Url: https://github.com/apache/tomcat/commit/127d8ea86d245846f0472865f0eb1eb111955e71

Url: https://security.gentoo.org/glsa/201705-09

Url: https://github.com/apache/tomcat/commit/816552abf6735fa37dfd37c8a7bfbdbd045477e0

Url: https://github.com/apache/tomcat/commit/c584c7c4ab0686e4125eefcd0afb32fb8269da3d

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: http://seclists.org/bugtraq/2016/Feb/146

Url: https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Url: https://access.redhat.com/errata/RHSA-2016:1087

Url: https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Url: http://www.debian.org/security/2016/dsa-3552

Url: http://svn.apache.org/viewvc?view=revision&revision=1717209

Url: https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E

Url: http://rhn.redhat.com/errata/RHSA-2016-1089.html

Url: http://tomcat.apache.org/security-9.html

Url: https://github.com/apache/tomcat/commit/7288bc70a14edcfeff0a96e333a858be374cfc64

Url: https://web.archive.org/web/20160321235514/http://www.securitytracker.com/id/1035071

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

Url: http://tomcat.apache.org/security-6.html

Url: https://github.com/apache/tomcat/commit/58c09b6217c546e1a251a82da227018f05277228

Url: http://seclists.org/fulldisclosure/2016/Feb/122

Url: http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Url: https://www.mend.io/vulnerability-database/CVE-2015-5345

Severity Score

5.3

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	5.0
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Do you need more information?

Contact Us