Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-zrc5-bf77-aygn

Summary

Improper Limitation of a Pathname to a Restricted Directory in Apache Tomcat
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

Aliases

alias	CVE-2015-5174

alias	GHSA-6qr6-x7jm-x2q6

Fixed_packages

url pkg:maven/org.apache.tomcat/tomcat@6.0.45

purl pkg:maven/org.apache.tomcat/tomcat@6.0.45

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-s37s-p75k-27e6

vulnerability	VCID-tcmv-6ftg-fqen

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@6.0.45

url pkg:maven/org.apache.tomcat/tomcat@7.0.65

purl pkg:maven/org.apache.tomcat/tomcat@7.0.65

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-e2gy-1c6a-6fdf

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@7.0.65

url	pkg:maven/org.apache.tomcat/tomcat@8.0.27
purl	pkg:maven/org.apache.tomcat/tomcat@8.0.27
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.0.27

Affected_packages

References

reference_url	https://access.redhat.com/errata/RHSA-2016:1432
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2016:1432

reference_url	https://access.redhat.com/errata/RHSA-2016:1433
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2016:1433

reference_url	https://access.redhat.com/errata/RHSA-2016:1434
reference_id
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2016:1434

reference_url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
reference_id
reference_type
scores
url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964

reference_url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
reference_id
reference_type
scores
url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

reference_url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
reference_id
reference_type
scores
url	https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

reference_url	https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2@%3Cusers.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r0b24f2c7507f702348e2c2d64e8a5de72bad6173658e8d8e45322ac2@%3Cusers.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85@%3Cusers.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r15695e6203b026c9e9070ca9fa95fb17dd4cd88e5342a7dc5e1e7b85@%3Cusers.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e@%3Cusers.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r1c62634b7426bee5f553307063457b99c84af73b078ede4f2592b34e@%3Cusers.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4@%3Cusers.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r409efdf706c2077ae5c37018a87da725a3ca89570a9530342cdc53e4@%3Cusers.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E

reference_url	https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350@%3Cusers.tomcat.apache.org%3E
reference_id
reference_type
scores
url	https://lists.apache.org/thread.html/rd4863c79bf729aabb95571fd845a9ea4ee3ae3fcee48f35aba007350@%3Cusers.tomcat.apache.org%3E

reference_url	https://security.gentoo.org/glsa/201705-09
reference_id
reference_type
scores
url	https://security.gentoo.org/glsa/201705-09

reference_url	https://security.netapp.com/advisory/ntap-20180531-0001
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20180531-0001

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2015-5174
reference_id	CVE-2015-5174
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2015-5174

reference_url	https://github.com/advisories/GHSA-6qr6-x7jm-x2q6
reference_id	GHSA-6qr6-x7jm-x2q6
reference_type
scores
url	https://github.com/advisories/GHSA-6qr6-x7jm-x2q6

Weaknesses

cwe_id	22
name	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
description	The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zrc5-bf77-aygn

Vulnerability Instance