CVE-2007-1860
published 2007-05-25CVE-2007-1860: mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which…
PriorityP430medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
12.92%
95.8th percentile
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | tomcat_jk_web_server_connector | <= 1.2.22 | — |
| debian | libapache-mod-jk | < libapache-mod-jk 1:1.2.23-1 (bookworm) | libapache-mod-jk 1:1.2.23-1 (bookworm) |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hr63-37xg-3w68: mod_jk in Apache Tomcat JK Web Server Connector 1
ghsa_unreviewed·2022-05-01·CVSS 5.0
CVE-2007-1860 [MEDIUM] CWE-22 GHSA-hr63-37xg-3w68: mod_jk in Apache Tomcat JK Web Server Connector 1
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
OSV
CVE-2007-1860: mod_jk in Apache Tomcat JK Web Server Connector 1
osv·2007-05-25·CVSS 5.0
CVE-2007-1860 [MEDIUM] CVE-2007-1860: mod_jk in Apache Tomcat JK Web Server Connector 1
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Red Hat
mod_jk sends decoded URL to tomcat
vendor_redhat·2007-05-21·CVSS 5.0
CVE-2007-1860 [MEDIUM] mod_jk sends decoded URL to tomcat
mod_jk sends decoded URL to tomcat
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Debian
CVE-2007-1860: libapache-mod-jk - mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes requ...
vendor_debian·2007·CVSS 5.0
CVE-2007-1860 [MEDIUM] CVE-2007-1860: libapache-mod-jk - mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes requ...
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Scope: local
bookworm: resolved (fixed in 1:1.2.23-1)
bullseye: resolved (fixed in 1:1.2.23-1)
forky: resolved (fixed in 1:1.2.23-1)
sid: resolved (fixed in 1:1.2.23-1)
trixie: resolved (fixed in 1:1.2.23-1)
No detection rules found.
No public exploits indexed.
http://docs.info.apple.com/article.html?artnum=306172http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://secunia.com/advisories/25383http://secunia.com/advisories/25701http://secunia.com/advisories/26235http://secunia.com/advisories/26512http://secunia.com/advisories/27037http://secunia.com/advisories/29242http://security.gentoo.org/glsa/glsa-200708-15.xmlhttp://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1http://tomcat.apache.org/security-jk.htmlhttp://www.debian.org/security/2007/dsa-1312http://www.osvdb.org/34877http://www.redhat.com/support/errata/RHSA-2007-0379.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/bid/24147http://www.securityfocus.com/bid/25159http://www.securitytracker.com/id?1018138http://www.vupen.com/english/advisories/2007/1941http://www.vupen.com/english/advisories/2007/2732http://www.vupen.com/english/advisories/2007/3386https://exchange.xforce.ibmcloud.com/vulnerabilities/34496https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002http://docs.info.apple.com/article.html?artnum=306172http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.htmlhttp://secunia.com/advisories/25383http://secunia.com/advisories/25701http://secunia.com/advisories/26235http://secunia.com/advisories/26512http://secunia.com/advisories/27037http://secunia.com/advisories/29242http://security.gentoo.org/glsa/glsa-200708-15.xmlhttp://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1http://tomcat.apache.org/security-jk.htmlhttp://www.debian.org/security/2007/dsa-1312http://www.osvdb.org/34877http://www.redhat.com/support/errata/RHSA-2007-0379.htmlhttp://www.redhat.com/support/errata/RHSA-2008-0261.htmlhttp://www.securityfocus.com/bid/24147http://www.securityfocus.com/bid/25159http://www.securitytracker.com/id?1018138http://www.vupen.com/english/advisories/2007/1941http://www.vupen.com/english/advisories/2007/2732http://www.vupen.com/english/advisories/2007/3386https://exchange.xforce.ibmcloud.com/vulnerabilities/34496https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3Ehttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002
2007-05-25
Published