Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).
CVE-2018-11759
Severity
7.5HIGH
EPSS
94.3%
top 0.07%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
Timeline
PublishedOct 31
Latest updateMay 14
Description
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was …
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages3 packages
▶CVEListV5apache_software_foundation/apache_tomcat_connectorsApache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44
Also affects: Debian Linux 8.0, 9.0
🔴Vulnerability Details
4GHSA▶
GHSA-5q2c-33mg-8m75: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) C↗2022-05-14
CVEList▶
CVE-2018-11759: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) C↗2018-10-31
OSV▶
CVE-2018-11759: The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) C↗2018-10-31
VulnCheck
▶
💥Exploits & PoCs
1Nuclei▶
Apache Tomcat JK Connect <=1.2.44 - Manager Access
📋Vendor Advisories
2💬Community
1Bugzilla
▶