Description
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Remediation
References
Related Vulnerabilities
Apache Traffic Server Exposure of Resource to Wrong Sphere Vulnerability (CVE-2018-8040)
Oracle JRE CVE-2020-2583 Vulnerability (CVE-2020-2583)
WordPress Plugin The Plus Addons for Elementor Security Bypass (4.1.10)
Oracle Database Server CVE-2009-1993 Vulnerability (CVE-2009-1993)
Atlassian Jira Improper Authentication Vulnerability (CVE-2021-41312)