Published:2009/06/09  Last Updated:2016/11/02

Apache Tomcat information disclosure vulnerability


Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability.

Products Affected

  • Apache Tomcat 4.1.0 to 4.1.39
  • Apache Tomcat 5.5.0 to 5.5.27
  • Apache Tomcat 6.0.0 to 6.0.18
According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
For more information, refer to the developer's website.


Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies.
Apache Tomcat contains a vulnerability which may allow information disclosure or access to the contents contained in the WEB-INF directory.


A remote attacker could possibly obtain information such as configuration or user credentials contained in the application which resides under the WEB-INF directory.


Update the Software

Update to Apache Tomcat 6.0.20 according to the information provided by the developer.

For Apache Tomcat 5.5.x and Apache Tomcat 4.1.x:
As of June 9, 2009, The Apache Tomcat Project has not yet released the latest versions resolving the vulnerability. Users of Apache Tomcat 5.5.x and 4.1.x should obtain the latest source code from svn, or update to Apache Tomcat 5.5.28 and 4.1.40 once they are released.

For more information, refer to the developer's website.

Vendor Status

Vendor Status Last Update Vendor Notes
BUFFALO INC. Not Vulnerable 2009/06/09
FUJITSU LIMITED Vulnerable 2015/10/09
Hitachi Not Vulnerable 2009/06/09
NEC Corporation Vulnerable 2016/11/01


JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Analyzed on 2009.06.09

Measures Conditions Severity
Access Required can be attacked over the Internet using packets
  • High
Authentication anonymous or no authentication (IP addresses do not count)
  • High
User Interaction Required the vulnerability can be exploited without an honest user taking any action
  • High
Exploit Complexity some expertise and/or luck required (most buffer overflows, guessing correctly in small space, expertise in Windows function calls)
  • Mid-High

Description of each analysis measures


Minehiko Iida and Yuichiro Suzuki of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2008-5515
JVN iPedia JVNDB-2009-000036

Update History

FUJITSU LIMITED update status
NEC Corporation update status