CVE-2015-5174

medium

Apache

CVSS v3 Base Score

4.3

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Score

3.7%

Exploitation probability in 30 days

Top 12% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Confidentiality

Low

Integrity

None

Availability

None

Published: February 25, 2016 (3732 days ago)

Last Modified: May 6, 2026

Vendor: Apache

Source: NVD

Description

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

CWE

CWE-22

Affected Products

debian debian linuxapache tomcatcanonical ubuntu linux

References

🔗 lists.opensuse.org 🔗 lists.opensuse.org 🔗 lists.opensuse.org 🔗 lists.opensuse.org 🔗 marc.info

CVE-2015-5174

Vulnerability Report

Description

CWE

Affected Products

References