CVE-2023-41081 | Date: (C)2023-09-20 (M)2024-04-30 |
Important: Authentication Bypass CVE-2023-41081
The mod_jk component of Apache Tomcat Connectors��in some circumstances, such as when a configuration included��"JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker.��Such an implicit mapping could result in the unintended exposure of the��status worker and/or bypass security constraints configured in httpd. As��of JK 1.2.49, the implicit mapping functionality has been removed and all��mappings must now be via explicit configuration.��Only mod_jk is affected��by this issue. The ISAPI redirector is not affected.
This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.
Users are recommended to upgrade to version 1.2.49, which fixes the issue.
History
2023-09-13 Original advisory
2023-09-28 Updated summary
CVSS Score and Metrics +CVSS Score and Metrics -CVSS V3 Severity: | CVSS V2 Severity: |
CVSS Score : 7.5 | CVSS Score : |
Exploit Score: 3.9 | Exploit Score: |
Impact Score: 3.6 | Impact Score: |
|
CVSS V3 Metrics: | CVSS V2 Metrics: |
Attack Vector: NETWORK | Access Vector: |
Attack Complexity: LOW | Access Complexity: |
Privileges Required: NONE | Authentication: |
User Interaction: NONE | Confidentiality: |
Scope: UNCHANGED | Integrity: |
Confidentiality: HIGH | Availability: |
Integrity: NONE | |
Availability: NONE | |
| |