CVE-2014-8111

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.

References

http://rhn.redhat.com/errata/RHSA-2015-0846.html

http://rhn.redhat.com/errata/RHSA-2015-0847.html

http://rhn.redhat.com/errata/RHSA-2015-0848.html

http://rhn.redhat.com/errata/RHSA-2015-0849.html

http://rhn.redhat.com/errata/RHSA-2015-1641.html

http://rhn.redhat.com/errata/RHSA-2015-1642.html

http://www.debian.org/security/2015/dsa-3278

http://www.securityfocus.com/bid/74265

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/[email protected]%3Cdev.tomcat.apache.org%3E

Details

Source: MITRE

Published: 2015-04-21

Updated: 2019-04-15

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:apache:tomcat_connectors:*:*:*:*:*:*:*:* versions up to 1.2.40 (inclusive)

Tenable Plugins

View all (12 total)

IDNameProductFamilySeverity
98523Apache Tomcat JK Connector 1.2.x < 1.2.41 JkUnmount Directive Handling Remote Information DisclosureWeb Application ScanningComponent Vulnerability
high
119336SUSE SLES11 Security Update : apache2-mod_jk (SUSE-SU-2018:3970-1)NessusSuSE Local Security Checks
high
112239RHEL 7 : JBoss EAP (RHSA-2015:0848)NessusRed Hat Local Security Checks
high
86703SUSE SLES12 Security Update : apache2 (SUSE-SU-2015:1851-1) (Logjam)NessusSuSE Local Security Checks
low
85563RHEL 5 / 6 / 7 : JBoss Web Server (RHSA-2015:1642)NessusRed Hat Local Security Checks
medium
85513Apache Tomcat JK Connector 1.2.x < 1.2.41 JkUnmount Directive Handling Remote Information DisclosureNessusWeb Servers
medium
85483FreeBSD : mod_jk -- information disclosure (47aa4343-44fa-11e5-9daa-14dae9d210b8)NessusFreeBSD Local Security Checks
medium
8833Apache Tomcat mod_jk < 1.2.41 Nessus Network MonitorWeb Servers
medium
84062Debian DLA-240-1 : libapache-mod-jk security updateNessusDebian Local Security Checks
medium
83980Debian DSA-3278-1 : libapache-mod-jk - security updateNessusDebian Local Security Checks
medium
82896RHEL 6 : JBoss EAP (RHSA-2015:0847)NessusRed Hat Local Security Checks
high
82895RHEL 5 : JBoss EAP (RHSA-2015:0846)NessusRed Hat Local Security Checks
high