CVE-2007-1860

MEDIUM

Description

mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.

References

http://docs.info.apple.com/article.html?artnum=306172

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795

http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html

http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html

http://secunia.com/advisories/25383

http://secunia.com/advisories/25701

http://secunia.com/advisories/26235

http://secunia.com/advisories/26512

http://secunia.com/advisories/27037

http://secunia.com/advisories/29242

http://security.gentoo.org/glsa/glsa-200708-15.xml

http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1

http://tomcat.apache.org/security-jk.html

http://www.debian.org/security/2007/dsa-1312

http://www.osvdb.org/34877

http://www.redhat.com/support/errata/RHSA-2007-0379.html

http://www.redhat.com/support/errata/RHSA-2008-0261.html

http://www.securityfocus.com/bid/24147

http://www.securityfocus.com/bid/25159

http://www.securitytracker.com/id?1018138

http://www.vupen.com/english/advisories/2007/1941

http://www.vupen.com/english/advisories/2007/2732

http://www.vupen.com/english/advisories/2007/3386

https://exchange.xforce.ibmcloud.com/vulnerabilities/34496

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002

Details

Source: MITRE

Published: 2007-05-25

Updated: 2019-04-15

Type: CWE-22

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM