Apache Tomcat JK Connector 1.2.x < 1.2.41 JkUnmount Directive Handling Remote Information Disclosure
Medium Nessus Plugin ID 85513
SynopsisThe remote web server is affected by an information disclosure vulnerability.
DescriptionBased on the Server response header, the installation of the JK Connector (mod_jk) in Apache Tomcat listening on the remote host is version 1.2.x prior to 1.2.41. It is, therefore, affected by an information disclosure vulnerability due to improper handling of the 'JkUnmount' directive and multiple, adjacent slashes in requests. A remote attacker can exploit this to access restricted private artifacts, resulting in the disclosure of sensitive information.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpgrade to mod_jk version 1.2.41 or later.