7.5 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.621 Medium
EPSS
Percentile
97.8%
TippingPoint and The Zero Day Initiative reports:
This vulnerability allows remote attackers to execute
arbitrary code on vulnerable installations of Apache
Tomcat JK Web Server Connector. Authentication is not
required to exploit this vulnerability.
The specific flaw exists in the URI handler for the
mod_jk.so library, map_uri_to_worker(), defined in
native/common/jk_uri_worker_map.c. When parsing a long URL
request, the URI worker map routine performs an unsafe
memory copy. This results in a stack overflow condition
which can be leveraged to execute arbitrary code.