cbcvebase.
CVE-2007-0450
published 2007-03-16

CVE-2007-0450: Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy…

PriorityP351medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
90.77%
99.8th percentile
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.

Affected

4 ranges
VendorProductVersion rangeFixed in
apachetomcat>= 5.0.0 < 5.5.225.5.22
apachetomcat>= 6.0.0 < 6.0.106.0.10
apachetomcat_jk_web_server_connector<= 1.2.22
debianlibapache-mod-jk< libapache-mod-jk 1:1.2.23-1 (bookworm)libapache-mod-jk 1:1.2.23-1 (bookworm)

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://www.example.com/foo/\../manager/html
path/josso/%5C../
path/josso/%5C../web-console
command%5C../
  • Detect directory traversal attempts using URL-encoded backslash (%5C) combined with dot-dot sequences (../) in HTTP request paths, which are valid separators in Tomcat but not in Apache.
  • Alert on HTTP requests containing backslash followed by dot-dot path traversal patterns (e.g., \../) in URLs proxied through mod_proxy, mod_rewrite, or mod_jk.
  • Monitor for double-encoded dot-dot sequences in URLs reaching mod_jk, as the connector decodes URLs before passing to Tomcat, potentially bypassing Apache access controls.
  • ·The vulnerability is only exploitable when Apache HTTP Server is used as a reverse proxy in front of Tomcat via mod_proxy, mod_rewrite, or mod_jk; direct Tomcat deployments are not affected by this specific bypass.
  • ·mod_jk specifically decodes request URLs within Apache before forwarding to Tomcat, meaning JkMount prefix rules can be bypassed; upgrading to mod_jk 1.2.23 or later resolves the related CVE-2007-1860 variant.

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.