CVE-2008-5519 — Sensitive Information Exposure in Apache MOD JK

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

2.6LOWNVD

EPSS

4.6%

top 10.79%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache MOD JK Apache Tomcat

Timeline

PublishedApr 9

Latest updateMay 14

Description

The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.

CVSS vector

AV:N/AC:H/C:P/I:N/A:NExploitability: 4.9 | Impact: 2.9

Affected Packages2 packages

▶NVDapache/tomcat102 versions+101

▶NVDapache/mod_jk24 versions+23

🔴Vulnerability Details

GHSA

GHSA-3v4j-mhgf-pf6w: The JK Connector (aka mod_jk) 1↗2022-05-14

▶

OSV

CVE-2008-5519: The JK Connector (aka mod_jk) 1↗2009-04-09

▶

CVEList

CVE-2008-5519: The JK Connector (aka mod_jk) 1↗2009-04-09

▶

📋Vendor Advisories

Red Hat

mod_jk: session information leak↗2008-10-28

▶

Debian

CVE-2008-5519: libapache-mod-jk - The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remot...↗2008

▶

💬Community

Bugzilla

CVE-2009-1191 httpd mod_proxy_ajp information disclosure↗2009-04-21

▶

Bugzilla

CVE-2008-5519 mod_jk: session information leak↗2009-03-13

▶