CVE-2007-1860

mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1	Patch
http://tomcat.apache.org/security-jk.html	Patch
http://secunia.com/advisories/25383	Patch Vendor Advisory
http://docs.info.apple.com/article.html?artnum=306172
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
http://www.debian.org/security/2007/dsa-1312
http://security.gentoo.org/glsa/glsa-200708-15.xml
http://www.redhat.com/support/errata/RHSA-2007-0379.html	Vendor Advisory
http://www.securityfocus.com/bid/24147
http://www.securityfocus.com/bid/25159
http://www.osvdb.org/34877
http://www.securitytracker.com/id?1018138
http://secunia.com/advisories/25701	Vendor Advisory
http://secunia.com/advisories/26235	Vendor Advisory
http://secunia.com/advisories/26512	Vendor Advisory
http://secunia.com/advisories/27037	Vendor Advisory
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
http://secunia.com/advisories/29242	Vendor Advisory
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
http://www.vupen.com/english/advisories/2007/2732	Vendor Advisory
http://www.vupen.com/english/advisories/2007/1941	Vendor Advisory
http://www.vupen.com/english/advisories/2007/3386	Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/34496
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E

Configurations

Configuration 1 (hide)

cpe:2.3:a:apache:tomcat_jk_web_server_connector:*:*:*:*:*:*:*:*

Information

Published : 2007-05-25 11:30

Updated : 2023-02-12 18:17

NVD link : CVE-2007-1860

Mitre link : CVE-2007-1860

JSON object : View

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Products Affected

apache

tomcat_jk_web_server_connector

5.0 /10