VYPR
← All advisories
Moderate severityNVD Advisory· Published Aug 13, 2008· Updated Apr 23, 2026

CVE-2008-2938

CVE-2008-2938

Description

Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcatMaven
>= 4.1.0, < 4.1.394.1.39
org.apache.tomcat:tomcatMaven
>= 5.5.0, < 5.5.275.5.27
org.apache.tomcat:tomcatMaven
>= 6.0.0, < 6.0.186.0.18

Affected products

1
  • Apache/Tomcat
    cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
    Range: >=4.0.0,<=4.1.37

Patches

1
c55ad56ed72e

Port http://svn.apache.org/viewvc?rev=678137&view=rev (additional normalization check) to trunk

https://github.com/apache/tomcatMark Emlyn David ThomasJul 29, 2008via ghsa
commit
1 file changed · +67 0
  • java/org/apache/catalina/connector/CoyoteAdapter.java+67 0 modified
    @@ -411,6 +411,12 @@ protected boolean postParseRequest(org.apache.coyote.Request req,
             }
             // Character decoding
             convertURI(decodedURI, request);
+            // Check that the URI is still normalized
+            if (!checkNormalize(req.decodedURI())) {
+                res.setStatus(400);
+                res.setMessage("Invalid URI character encoding");
+                return false;
+            }
         } else {
             // The URL is chars or String, and has been sent using an in-memory
             // protocol handler, we have to assume the URL has been properly
@@ -787,6 +793,67 @@ public static boolean normalize(MessageBytes uriMB) {
     }
 
 
+    /**
+     * Check that the URI is normalized following character decoding.
+     * <p>
+     * This method checks for "\", 0, "//", "/./" and "/../". This method will
+     * return false if sequences that are supposed to be normalized are still 
+     * present in the URI.
+     * 
+     * @param uriMB URI to be checked (should be chars)
+     */
+    public static boolean checkNormalize(MessageBytes uriMB) {
+
+        CharChunk uriCC = uriMB.getCharChunk();
+        char[] c = uriCC.getChars();
+        int start = uriCC.getStart();
+        int end = uriCC.getEnd();
+
+        int pos = 0;
+
+        // Check for '\' and 0
+        for (pos = start; pos < end; pos++) {
+            if (c[pos] == '\\') {
+                return false;
+            }
+            if (c[pos] == 0) {
+                return false;
+            }
+        }
+
+        // Check for "//"
+        for (pos = start; pos < (end - 1); pos++) {
+            if (c[pos] == '/') {
+                if (c[pos + 1] == '/') {
+                    return false;
+                }
+            }
+        }
+
+        // Check for ending with "/." or "/.."
+        if (((end - start) >= 2) && (c[end - 1] == '.')) {
+            if ((c[end - 2] == '/') 
+                    || ((c[end - 2] == '.') 
+                    && (c[end - 3] == '/'))) {
+                return false;
+            }
+        }
+
+        // Check for "/./"
+        if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
+            return false;
+        }
+
+        // Check for "/../"
+        if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
+            return false;
+        }
+
+        return true;
+
+    }
+
+
     // ------------------------------------------------------ Protected Methods

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

70

News mentions

0

No linked articles in our index yet.