Think you have a false positive on this rule?
Sid 1-18
Summary:
Impact:
Confidentiality Impact: PARTIAL Integrity Impact: NONE Availability Impact: NONE
Detailed Information:
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
Affected Systems:
apache tomcat 4.1.2
apache tomcat 4.1.1
apache tomcat 4.1.3
apache tomcat 4.1.35
apache tomcat 4.1.34
apache tomcat 4.1.26
apache tomcat 4.1.25
apache tomcat 4.1.28
apache tomcat 4.1.27
apache tomcat 4.1.29
apache tomcat 6.0.4
apache tomcat 6.0.5
apache tomcat 4.1.20
apache tomcat 4.1.22
apache tomcat 6.0.0
apache tomcat 4.1.21
apache tomcat 6.0.1
apache tomcat 6.0.2
apache tomcat 6.0.3
apache tomcat 5.5.25
apache tomcat 5.5.24
apache tomcat 5.5.23
apache tomcat 5.5.22
apache tomcat 6.0
apache tomcat 6.0.9
apache tomcat 5.5.27
apache tomcat 5.5.26
apache tomcat 6.0.6
apache tomcat 6.0.7
apache tomcat 5.5.21
apache tomcat 5.5.20
apache tomcat 4.1.24
apache tomcat 4.1.23
apache tomcat 4.1.15
apache tomcat 4.1.14
apache tomcat 4.1.17
apache tomcat 4.1.16
apache tomcat 4.1.19
apache tomcat 4.1.18
apache tomcat 4.1.11
apache tomcat 4.1.10
apache tomcat 5.5.14
apache tomcat 5.5.13
apache tomcat 5.5.12
apache tomcat 5.5.11
apache tomcat 5.5.16
apache tomcat 5.5.15
apache tomcat 6.0.14
apache tomcat 6.0.13
apache tomcat 5.5.19
apache tomcat 5.5.10
apache tomcat 4.1.13
apache tomcat 4.1.12
apache tomcat 5.5.0
apache tomcat 5.5.1
apache tomcat 5.5.6
apache tomcat 5.5.7
apache tomcat 5.5.4
apache tomcat 5.5.5
apache tomcat 5.5.8
apache tomcat 5.5.9
apache tomcat 5.5.2
apache tomcat 5.5.3
apache tomcat 4.1.37
apache tomcat 4.1.36
apache tomcat 4.1.39
apache tomcat 4.1.38
apache tomcat 5.5.18
apache tomcat 6.0.18
apache tomcat 5.5.17
apache tomcat 6.0.17
apache tomcat 4.1.0
apache tomcat 6.0.16
apache tomcat 6.0.15
apache tomcat 4.1.31
apache tomcat 6.0.12
apache tomcat 4.1.30
apache tomcat 4.1.33
apache tomcat 6.0.10
apache tomcat 4.1.32
Attack Scenarios:
False Positives:
False Negatives:
Corrective Action:
Upgrade to the latest non-affected version
Apply vendor-provided patches
Contributors:
Additional References: