Directory disclosure in Apache Tomcat and Oracle Linux - CVE-2015-5345
Published: August 5, 2016 / Updated: January 11, 2017
Vulnerability identifier: #VU262
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2015-5345
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Apache Foundation
Oracle
Oracle
Affected software:
Apache Tomcat
Oracle Linux
Apache Tomcat
Oracle Linux
Detailed vulnerability description
The vulnerability allows a remote attacker to obtain potentially sensitive information.
When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was therefore possible for a user to determine if a directory existed or not, even if the user was not permitted to view the directory.
Successful exploitation of the vulnerability may allow a remote attacker to confirm existence of directories on the system.
How to mitigate CVE-2015-5345
Install the latest version Apache Tomcat 6.0.45, 7.0.68, 8.0.30 or 9.0.0.M3
Sources
- https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45
- https://tomcat.apache.org/security-7.html
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html