ID CVE-2002-2009
Summary Apache Tomcat 4.0.1 allows remote attackers to obtain the web root path via HTTP requests for JSP files preceded by (1) +/, (2) >/, (3) </, and (4) %20/, which leaks the pathname in an error message.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 4.0.1
    cpe:2.3:a:apache:tomcat:4.0.1
CVSS
Base: 5.0 (as of 11-08-2005 - 08:53)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
nessus via4
NASL family Web Servers
NASL id TOMCAT_LONG_URL_PATH_DISCLOSE.NASL
description The remote Apache Tomcat web server is affected by an information disclosure vulnerability. The full install path of Apache Tomcat can be obtained by sending an HTTP request which contains a long URL. Note that there reportedly is an additional install path disclosure vulnerability in this version of Apache Tomcat; however, Nessus has not explicitly tested for it.
last seen 2019-02-21
modified 2018-11-15
plugin id 49701
published 2010-10-01
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=49701
title Apache Tomcat Long URL Information Disclosure
refmap via4
bid 4557
bugtraq
  • 20010419 Re: Tomcat 4.1 real path disclosure
  • 20020419 Tomcat 4.1 real path disclosure
confirm http://tomcat.apache.org/security-4.html
mlist [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
xf tomcat-jsp-path-disclosure(42915)
Last major update 05-09-2008 - 16:32
Published 31-12-2002 - 00:00
Last modified 21-03-2019 - 11:33
Back to Top