Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2007-1860

mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.

Published

2007-05-25T18:30:00.000

Last Modified

2025-04-09T00:30:58.490

Status

Deferred

Source

[email protected]

Severity

CVSSv2: 5.0 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:N/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-22

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat_jk_web_server_connector	≤ 1.2.22	Yes

References

http://docs.info.apple.com/article.html?artnum=306172 ([email protected])
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 ([email protected])
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 ([email protected])
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html ([email protected])
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html ([email protected])
http://secunia.com/advisories/25383 Patch, Vendor Advisory ([email protected])
http://secunia.com/advisories/25701 Vendor Advisory ([email protected])
http://secunia.com/advisories/26235 Vendor Advisory ([email protected])
http://secunia.com/advisories/26512 Vendor Advisory ([email protected])
http://secunia.com/advisories/27037 Vendor Advisory ([email protected])
http://secunia.com/advisories/29242 Vendor Advisory ([email protected])
http://security.gentoo.org/glsa/glsa-200708-15.xml ([email protected])
http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1 Patch ([email protected])
http://tomcat.apache.org/security-jk.html Patch ([email protected])
http://www.debian.org/security/2007/dsa-1312 ([email protected])
http://www.osvdb.org/34877 ([email protected])
http://www.redhat.com/support/errata/RHSA-2007-0379.html Vendor Advisory ([email protected])
http://www.redhat.com/support/errata/RHSA-2008-0261.html ([email protected])
http://www.securityfocus.com/bid/24147 ([email protected])
http://www.securityfocus.com/bid/25159 ([email protected])
http://www.securitytracker.com/id?1018138 ([email protected])
http://www.vupen.com/english/advisories/2007/1941 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2007/2732 Vendor Advisory ([email protected])
http://www.vupen.com/english/advisories/2007/3386 Vendor Advisory ([email protected])
https://exchange.xforce.ibmcloud.com/vulnerabilities/34496 ([email protected])
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E ([email protected])
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002 ([email protected])
http://docs.info.apple.com/article.html?artnum=306172 (af854a3a-2127-422b-91ae-364da2661108)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 (af854a3a-2127-422b-91ae-364da2661108)
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 (af854a3a-2127-422b-91ae-364da2661108)
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html (af854a3a-2127-422b-91ae-364da2661108)
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/25383 Patch, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/25701 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/26235 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/26512 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/27037 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://secunia.com/advisories/29242 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://security.gentoo.org/glsa/glsa-200708-15.xml (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1 Patch (af854a3a-2127-422b-91ae-364da2661108)
http://tomcat.apache.org/security-jk.html Patch (af854a3a-2127-422b-91ae-364da2661108)
http://www.debian.org/security/2007/dsa-1312 (af854a3a-2127-422b-91ae-364da2661108)
http://www.osvdb.org/34877 (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2007-0379.html Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.redhat.com/support/errata/RHSA-2008-0261.html (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/24147 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securityfocus.com/bid/25159 (af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id?1018138 (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2007/1941 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2007/2732 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
http://www.vupen.com/english/advisories/2007/3386 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://exchange.xforce.ibmcloud.com/vulnerabilities/34496 (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E (af854a3a-2127-422b-91ae-364da2661108)
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002 (af854a3a-2127-422b-91ae-364da2661108)