Description
The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.
Remediation
References
Related Vulnerabilities
Artifactory Insufficient Verification of Data Authenticity Vulnerability (CVE-2018-19971)
Oracle HTTP Server CVE-2021-35666 Vulnerability (CVE-2021-35666)
IBM WebSEAL Other Vulnerability (CVE-2023-30997)
WordPress Plugin WP Maps-Display Google Maps Perfectly with Ease Cross-Site Request Forgery (4.0.9)