Mark Thomas wrote:
What mitigations are you thinking of?
The description is intended to be sufficient for a user to determine if
they match the vulnerability conditions. And this for this notice I
believe it meets this criteria.
In this case there is no way of configuring yourself away from
William A. Rowe, Jr. wrote:
Mark Thomas wrote:
Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a sec
Mark Thomas wrote:
Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locati
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2008-2370: Apache Tomcat information disclosure vulnerability
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x
