Apache Tomcat JK Connector Content-Length Header Cross-User Information Disclosure
Low Nessus Plugin ID 46885
SynopsisThe remote web server is prone to an information disclosure attack.
DescriptionBased on the Server response header, the installation of the JK Connector (mod_jk) in Apache Tomcat listening on the remote host is version 1.2.x prior to 1.2.27. It is, therefore, affected by an information disclosure vulnerability. A remote attacker can view the response associated with a different user's request, either by sending a request with a Content-Length without data or by sending repeated requests very quickly.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to mod_jk version 1.2.27 or later.