CVE-2008-5519

LOW

Description

The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.

References

http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html

http://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%[email protected]%3E

http://marc.info/?l=tomcat-dev&m=123913700700879

http://secunia.com/advisories/29283

http://secunia.com/advisories/34621

http://secunia.com/advisories/35537

http://securitytracker.com/id?1022001

http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1

http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?r1=702387&r2=702540&pathrev=702540&diff_format=h

http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=markup&pathrev=702540

http://svn.eu.apache.org/viewvc?view=rev&revision=702540

http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html

http://tomcat.apache.org/security-jk.html

http://www.debian.org/security/2009/dsa-1810

http://www.openwall.com/lists/oss-security/2009/04/08/10

http://www.redhat.com/support/errata/RHSA-2009-0446.html

http://www.securityfocus.com/archive/1/502530/100/0/threaded

http://www.securityfocus.com/bid/34412

http://www.vupen.com/english/advisories/2009/0973

https://bugzilla.redhat.com/show_bug.cgi?id=490201

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

Details

Source: MITRE

Published: 2009-04-09

Updated: 2019-04-15

Type: CWE-200

Risk Information

CVSS v2.0

Base Score: 2.6

Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 4.9

Severity: LOW

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:mod_jk:1.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.14.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:mod_jk:1.2.26:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:apache:tomcat:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.31:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.32:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.33:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.34:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.35:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:4.1.36:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.27:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.28:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.29:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.0.30:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.1:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.2:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.3:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.4:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.5:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.6:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.7:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.8:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.9:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.10:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.11:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.12:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.13:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.14:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.15:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.16:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.17:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.18:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.19:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.20:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.21:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.22:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.23:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.24:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.25:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.26:*:*:*:*:*:*:*

cpe:2.3:a:apache:tomcat:5.5.27:*:*:*:*:*:*:*

Tenable Plugins

View all (25 total)

IDNameProductFamilySeverity
107888Solaris 10 (x86) : 122912-37NessusSolaris Local Security Checks
medium
107887Solaris 10 (x86) : 122912-36NessusSolaris Local Security Checks
medium
107886Solaris 10 (x86) : 122912-35NessusSolaris Local Security Checks
medium
107885Solaris 10 (x86) : 122912-34NessusSolaris Local Security Checks
medium
107884Solaris 10 (x86) : 122912-33NessusSolaris Local Security Checks
medium
107883Solaris 10 (x86) : 122912-32NessusSolaris Local Security Checks
medium
107386Solaris 10 (sparc) : 122911-37NessusSolaris Local Security Checks
medium
107385Solaris 10 (sparc) : 122911-36NessusSolaris Local Security Checks
medium
107384Solaris 10 (sparc) : 122911-35NessusSolaris Local Security Checks
medium
107383Solaris 10 (sparc) : 122911-34NessusSolaris Local Security Checks
medium
107382Solaris 10 (sparc) : 122911-33NessusSolaris Local Security Checks
medium
107381Solaris 10 (sparc) : 122911-32NessusSolaris Local Security Checks
medium
46885Apache Tomcat JK Connector Content-Length Header Cross-User Information DisclosureNessusWeb Servers
low
43846RHEL 4 : mod_jk in Satellite Server (RHSA-2009:1618)NessusRed Hat Local Security Checks
low
42397openSUSE 10 Security Update : apache2-mod_jk (apache2-mod_jk-6599)NessusSuSE Local Security Checks
low
42392openSUSE Security Update : apache2-mod_jk (apache2-mod_jk-1479)NessusSuSE Local Security Checks
low
42389openSUSE Security Update : apache2-mod_jk (apache2-mod_jk-1479)NessusSuSE Local Security Checks
low
39571GLSA-200906-04 : Apache Tomcat JK Connector: Information disclosureNessusGentoo Local Security Checks
low
38991Debian DSA-1810-1 : libapache-mod-jk - information disclosureNessusDebian Local Security Checks
low
4984Apache TomCat mod_jk < 1.2.27 Cross-user Information DisclosureNessus Network MonitorWeb Servers
medium
22063Solaris 10 (x86) : 122912-37 (deprecated)NessusSolaris Local Security Checks
medium
22060Solaris 10 (sparc) : 122911-37 (deprecated)NessusSolaris Local Security Checks
medium
13588Solaris 9 (x86) : 114017-07NessusSolaris Local Security Checks
low
13547Solaris 9 (sparc) : 114016-08NessusSolaris Local Security Checks
low
800629Apache TomCat mod_jk < 1.2.27 Cross-user Information DisclosureLog Correlation EngineWeb Servers
low