Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request
CVE-2023-41081

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat Connectors
Vendor: CVE Published:; 13 September 2023

Summary

The mod_jk component of Apache Tomcat Connectors allows for an authentication bypass under specific configuration conditions. If 'JkOptions +ForwardDirectories' is used without providing explicit mounts for all proxied requests, mod_jk defaults to an implicit mapping. This can inadvertently expose the status worker and compromise security constraints set in Apache HTTP Server. Users are advised to upgrade to mod_jk version 1.2.49 or later, where the problematic implicit mapping functionality has been eliminated, ensuring all mappings require explicit configuration.

Affected Version(s)

Apache Tomcat Connectors 1.2.0 <= 1.2.48

References

https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooy...

vendor-advisory

https://www.openwall.com/lists/oss-security/2023/09/13/2

https://lists.debian.org/debian-lts-announce/2023/09/msg0...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 13, 2023
Vulnerability Reserved
Aug 22, 2023

Credit

Karl von Randow