Apache Tomcat Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) Vulnerability - CVE-2015-5174
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45 7.x before 7.0.65 and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource getResourceAsStream or getResourcePaths call as demonstrated by the CATALINA_BASE/webapps directory.