Apache TomcatTOMCAT:E0E8DE7FA4A562D10AA255736ABC696AFixed in Apache Tomcat JK Connector 1.2.49
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
38.8%
Important: Information disclosure CVE-2023-41081
In some circumstances, such as when a configuration included JkOptions +ForwardDirectories but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected.
This was fixed with commit 0095b6cb.
This issue was reported to the Tomcat Security Team on 7 July 2023. The issue was made public on 13 September 2023.
Affects: JK 1.2.0-1.2.48 (mod_jk only)
| CPE | Name | Operator | Version |
|---|---|---|---|
| apache tomcat jk connectors | ge | 1.2.0 | |
| apache tomcat jk connectors | le | 1.2.48 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.001 Low
EPSS
Percentile
38.8%