CVE-2008-5519
published 2009-04-09CVE-2008-5519: The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an…
PriorityP423low2.6CVSS 2.0
AVNACHAuNCPINAN
EPSS
7.26%
93.6th percentile
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
Affected
127 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | mod_jk | — | — |
| apache | tomcat | — | — |
CVSS provenance
nvdv2.02.6LOWAV:N/AC:H/Au:N/C:P/I:N/A:N
osv2.6LOW
vendor_debian2.6LOW
vendor_redhat2.6LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
mod_jk: session information leak
vendor_redhat·2008-10-28·CVSS 2.6
CVE-2008-5519 [LOW] mod_jk: session information leak
mod_jk: session information leak
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
Debian
CVE-2008-5519: libapache-mod-jk - The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remot...
vendor_debian·2008·CVSS 2.6
CVE-2008-5519 [LOW] CVE-2008-5519: libapache-mod-jk - The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remot...
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
Scope: local
bookworm: resolved (fixed in 1:1.2.26-2.1)
bullseye: resolved (fixed in 1:1.2.26-2.1)
forky: resolved (fixed in 1:1.2.26-2.1)
sid: resolved (fixed in 1:1.2.26-2.1)
trixie: resolved (fixed in 1:1.2.26-2.1)
GHSA
GHSA-3v4j-mhgf-pf6w: The JK Connector (aka mod_jk) 1
ghsa_unreviewed·2022-05-14
CVE-2008-5519 [LOW] CWE-200 GHSA-3v4j-mhgf-pf6w: The JK Connector (aka mod_jk) 1
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
OSV
CVE-2008-5519: The JK Connector (aka mod_jk) 1
osv·2009-04-09·CVSS 2.6
CVE-2008-5519 [LOW] CVE-2008-5519: The JK Connector (aka mod_jk) 1
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2009-1191 httpd mod_proxy_ajp information disclosure
bugzilla·2009-04-21·CVSS 2.6
CVE-2009-1191 [LOW] CVE-2009-1191 httpd mod_proxy_ajp information disclosure
CVE-2009-1191 httpd mod_proxy_ajp information disclosure
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1191 to the following vulnerability:
mod_proxy_ajp in Apache httpd 2.2.11 allows remote attackers to obtain sensitive information via an arbitrary request from a HTTP client, in opportunistic circumstances involving a request from a different client that included a Content-Length header but no POST data.
This is similar to the issue CVE-2008-5519 in mod_jk
Prior to httpd 2.2.11 this was not an issue. It was an issue
due to http://svn.apache.org/viewvc?view=rev&revision=711779
Patch will be applied to 2.2.12:
http://www.apache.org/dist/httpd/patches/apply_to_2.2.11/
Discussion:
The patch is available for download from the following location:
https://support.re
Bugzilla
CVE-2008-5519 mod_jk: session information leak
bugzilla·2009-03-13·CVSS 2.6
CVE-2008-5519 [LOW] CVE-2008-5519 mod_jk: session information leak
CVE-2008-5519 mod_jk: session information leak
An issue with mod_jk 1.2.26, and possibly older versions, allows one user to see another user's information due to missing logic where faulty clients set Content-Length without providing data, or if a user submits too many times very fast.
The relevant changelog entry in mod_jk 1.2.27 that corrects the issue is:
"AJP13: Always send initial POST packet even if the client disconnected after sending request but before providing POST data. In that case or in case the client broke the connection in a middle of read send an zero size packet informing container about broken client connection. (mturk)"
from http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
Discussion:
This issue affects 1.2.0 through to 1.2.26 and is fixed in
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%3C49DBBAC0.2080400%40apache.org%3Ehttp://marc.info/?l=tomcat-dev&m=123913700700879http://secunia.com/advisories/29283http://secunia.com/advisories/34621http://secunia.com/advisories/35537http://securitytracker.com/id?1022001http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?r1=702387&r2=702540&pathrev=702540&diff_format=hhttp://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=markup&pathrev=702540http://svn.eu.apache.org/viewvc?view=rev&revision=702540http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.htmlhttp://tomcat.apache.org/security-jk.htmlhttp://www.debian.org/security/2009/dsa-1810http://www.openwall.com/lists/oss-security/2009/04/08/10http://www.redhat.com/support/errata/RHSA-2009-0446.htmlhttp://www.securityfocus.com/archive/1/502530/100/0/threadedhttp://www.securityfocus.com/bid/34412http://www.vupen.com/english/advisories/2009/0973https://bugzilla.redhat.com/show_bug.cgi?id=490201https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3Ehttp://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.htmlhttp://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%3C49DBBAC0.2080400%40apache.org%3Ehttp://marc.info/?l=tomcat-dev&m=123913700700879http://secunia.com/advisories/29283http://secunia.com/advisories/34621http://secunia.com/advisories/35537http://securitytracker.com/id?1022001http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?r1=702387&r2=702540&pathrev=702540&diff_format=hhttp://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=markup&pathrev=702540http://svn.eu.apache.org/viewvc?view=rev&revision=702540http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.htmlhttp://tomcat.apache.org/security-jk.htmlhttp://www.debian.org/security/2009/dsa-1810http://www.openwall.com/lists/oss-security/2009/04/08/10http://www.redhat.com/support/errata/RHSA-2009-0446.htmlhttp://www.securityfocus.com/archive/1/502530/100/0/threadedhttp://www.securityfocus.com/bid/34412http://www.vupen.com/english/advisories/2009/0973https://bugzilla.redhat.com/show_bug.cgi?id=490201https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E
2009-04-09
Published