CVE-2023-41081

Source
https://nvd.nist.gov/vuln/detail/CVE-2023-41081
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-41081.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-41081
Related
Published
2023-09-13T10:15:07Z
Modified
2024-09-25T21:25:31.883215Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
[none]
Details

Important: Authentication Bypass CVE-2023-41081

The modjk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, modjk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected.

This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.

Users are recommended to upgrade to version 1.2.49, which fixes the issue.

History 2023-09-13 Original advisory

2023-09-28 Updated summary

References

Affected packages

Debian:11 / libapache-mod-jk

Package

Name
libapache-mod-jk
Purl
pkg:deb/debian/libapache-mod-jk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.2.48-1+deb11u1

Affected versions

1:1.*

1:1.2.48-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / libapache-mod-jk

Package

Name
libapache-mod-jk
Purl
pkg:deb/debian/libapache-mod-jk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.2.48-2+deb12u1

Affected versions

1:1.*

1:1.2.48-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / libapache-mod-jk

Package

Name
libapache-mod-jk
Purl
pkg:deb/debian/libapache-mod-jk?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:1.2.49-1

Affected versions

1:1.*

1:1.2.48-2

Ecosystem specific

{
    "urgency": "not yet assigned"
}