CVE-2008-2938

EPSS 99.7%

Vexday Risk Score

60Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS —EPSS 99.7%KEV nãoPoC públicaNuclei —Metasploit simPatch referenciado

Lifecycle

13 Aug 2008Published on NVD

09 Jan 2009Metasploit module available

28 Jul 2010Public PoC

Recommendation: Plan a near-term fix — a public PoC already exists.

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

Affected products

n/a · n/a

public PoCs found — 3

githubgithub.com/Naramsim/Offensive★ 1 cve_referencewww.exploit-db.com/exploits/6229unverified exploitdbwww.exploit-db.com/exploits/14489unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2008-09/msg00004.html http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html http://marc.info/?l=bugtraq&m=123376588623823&w=2 http://secunia.com/advisories/31639 http://secunia.com/advisories/31865 http://secunia.com/advisories/31891 http://secunia.com/advisories/31982 http://secunia.com/advisories/32120 http://secunia.com/advisories/32222 http://secunia.com/advisories/32266 http://secunia.com/advisories/33797