Description
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Remediation
References
Related Vulnerabilities
WordPress Plugin Stripe Payment for WooCommerce Security Bypass (3.7.9)
WordPress Plugin Chat-Support Board-WordPress Chat Multiple SQL Injection Vulnerabilities (3.3.3)
Ruby Permissions, Privileges, and Access Controls Vulnerability (CVE-2008-3655)
WordPress Plugin Contact Form Email Cross-Site Scripting (1.3.24)