CVE-2024-46544 — Incorrect Default Permissions in Apache Tomcat Connectors

CWE-276 — Incorrect Default Permissions6 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.0%

top 88.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Tomcat Connectors Apache Software Foundation Apache Tomcat Connectors Debian Linux

Timeline

PublishedSep 23

Description

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:LExploitability: 2.5 | Impact: 3.4

Affected Packages2 packages

▶NVDapache/tomcat_connectors1.2.9 — 1.2.50

▶CVEListV5apache_software_foundation/apache_tomcat_connectors1.2.9-beta — 1.2.49

Also affects: Debian Linux 11.0

🔴Vulnerability Details

GHSA

GHSA-2582-53pq-96cq: Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configur↗2024-09-23

▶

CVEList

Apache Tomcat Connectors: mod_jk: local users can view and modify configuration↗2024-09-23

▶

OSV

CVE-2024-46544: Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configur↗2024-09-23

▶

📋Vendor Advisories

Red Hat

mod_jk: information Disclosure / DoS↗2024-09-23

▶

Debian

CVE-2024-46544: libapache-mod-jk - Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows l...↗2024

▶