CVE-2023-41081

CWE-2027 documents7 sources
Severity
7.5HIGH
EPSS
0.0%
top 89.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Apache Tomcat ConnectorsApache Software Foundation Apache Tomcat Connectors
Timeline
PublishedSep 13
Latest updateJun 11

Description

Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDapache/tomcat_connectors1.2.01.2.49
Debianlibapache-mod-jk< 1:1.2.48-1+deb11u1+3

🔴Vulnerability Details

3
CVEList
Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request2023-09-13
OSV
CVE-2023-41081: Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration i2023-09-13
GHSA
GHSA-4wvr-fq5p-2362: The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the2023-09-13

📋Vendor Advisories

3
Ubuntu
mod_jk vulnerability2024-06-11
Red Hat
httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure2023-09-13
Debian
CVE-2023-41081: libapache-mod-jk - Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache ...2023
CVE-2023-41081 (HIGH CVSS 7.5) | Important: Authentication Bypass CV | cvebase.io