Mark Thomas wrote:
Description: When using a RequestDispatcher the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Mitigation: 6.0.x users should upgrade to 6.0.18
Stupid question, perhaps, but why weren't mitigations published with this advisory? In general we want people to simply adopt the current version, but if they don't match the vulnerability conditions (or are willing to configure themselves away from them), this should not disrupt the active installations. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]