Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.A cross-site scripting vulnerability was discovered in theHttpServletResponse.sendError() method. A remote attacker could injectarbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232)An additional cross-site scripting vulnerability was discovered in the hostmanager application. A remote attacker could inject arbitrary web script orHTML via the hostname parameter. (CVE-2008-1947)A traversal vulnerability was discovered when using a RequestDispatcherin combination with a servlet or JSP. A remote attacker could utilize aspecially-crafted request parameter to access protected web resources.(CVE-2008-2370)An additional traversal vulnerability was discovered when the"allowLinking" and "URIencoding" settings were activated. A remote attackercould use a UTF-8-encoded request to extend their privileges and obtainlocal files accessible to the Tomcat process. (CVE-2008-2938)Users of tomcat should upgrade to these updated packages, which containbackported patches to resolve these issues.