FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2007-1860

This CVE name corresponds to:

Entered Topic
2007-06-05 mod_jk -- information disclosure

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2007-1860
Phase Assigned(20070404)

Description

mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.

References

Source Reference
MISC http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1
CONFIRM http://tomcat.apache.org/security-jk.html
CONFIRM http://docs.info.apple.com/article.html?artnum=306172
APPLE APPLE-SA-2007-07-31
DEBIAN DSA-1312
GENTOO GLSA-200708-15
HP HPSBUX02262
HP SSRT071447
REDHAT RHSA-2007:0379
REDHAT RHSA-2008:0261
SUSE SUSE-SR:2008:005
BID 24147
BID 25159
OVAL oval:org.mitre.oval:def:6002
VUPEN ADV-2007-1941
VUPEN ADV-2007-2732
VUPEN ADV-2007-3386
OSVDB 34877
SECTRACK 1018138
SECUNIA 25383
SECUNIA 25701
SECUNIA 26235
SECUNIA 26512
SECUNIA 27037
SECUNIA 29242
XF tomcat-jkconnector-security-bypass(34496)