Vulnerability CVE-2007-1860
Published: 2007-05-25   Modified: 2012-02-12

Description:
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.

Type:

CWE-22

 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Apache -> Tomcat jk web server connector 

 References:
http://docs.info.apple.com/article.html?artnum=306172
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
http://security.gentoo.org/glsa/glsa-200708-15.xml
http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1
http://tomcat.apache.org/security-jk.html
http://www.debian.org/security/2007/dsa-1312
http://www.redhat.com/support/errata/RHSA-2007-0379.html
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://www.securityfocus.com/bid/24147
http://www.securityfocus.com/bid/25159
http://www.securitytracker.com/id?1018138
http://www.vupen.com/english/advisories/2007/1941
http://www.vupen.com/english/advisories/2007/2732
http://www.vupen.com/english/advisories/2007/3386
https://exchange.xforce.ibmcloud.com/vulnerabilities/34496
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002
Copyright 2024, cxsecurity.com

 

Back to Top