Description
The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.
Remediation
References
Related Vulnerabilities
Restlet Framework XML Injection (aka Blind XPath Injection) Vulnerability (CVE-2013-4221)
MySQL CVE-2021-2201 Vulnerability (CVE-2021-2201)
WordPress Plugin WP Email Users SQL Injection (1.4.3)
Contao Improper Control of Generation of Code ('Code Injection') Vulnerability (CVE-2021-37626)
WordPress Plugin WP Server Log Viewer Cross-Site Scripting (1.0)