CVE-2023-41081

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2023-41081

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-41081.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2023-41081

Related

Published

2023-09-13T10:15:07Z

Modified

2024-09-25T20:46:42.644063Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

Important: Authentication Bypass CVE-2023-41081

The modjk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, modjk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected.

This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.

Users are recommended to upgrade to version 1.2.49, which fixes the issue.

History 2023-09-13 Original advisory

2023-09-28 Updated summary

References

Affected packages

Debian:11 / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/debian/libapache-mod-jk?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.48-1+deb11u1

Affected versions

1:1.*

1:1.2.48-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/debian/libapache-mod-jk?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.48-2+deb12u1

Affected versions

1:1.*

1:1.2.48-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache-mod-jk

Package

Name: libapache-mod-jk
Purl: pkg:deb/debian/libapache-mod-jk?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1:1.2.49-1

Affected versions

1:1.*

1:1.2.48-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}