Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors��in some circumstances, such as when a configuration included��"JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker.��Such an implicit mapping could result in the unintended exposure of the��status worker and/or bypass security constraints configured in httpd. As��of JK 1.2.49, the implicit mapping functionality has been removed and all��mappings must now be via explicit configuration.��Only mod_jk is affected��by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue. History 2023-09-13 Original advisory 2023-09-28 Updated summary