The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 12 | all | libapache-mod-jk | < 1:1.2.48-2+deb12u1 | libapache-mod-jk_1:1.2.48-2+deb12u1_all.deb |
Debian | 11 | all | libapache-mod-jk | < 1:1.2.48-1+deb11u1 | libapache-mod-jk_1:1.2.48-1+deb11u1_all.deb |
Debian | 10 | all | libapache-mod-jk | < 1:1.2.46-1+deb10u1 | libapache-mod-jk_1:1.2.46-1+deb10u1_all.deb |
Debian | 999 | all | libapache-mod-jk | < 1:1.2.49-1 | libapache-mod-jk_1:1.2.49-1_all.deb |
Debian | 13 | all | libapache-mod-jk | < 1:1.2.49-1 | libapache-mod-jk_1:1.2.49-1_all.deb |