Debian Libapache-Mod-Jk vulnerabilities
7 known vulnerabilities affecting debian/libapache-mod-jk.
Total CVEs
7
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
HIGH2MEDIUM4LOW1
Vulnerabilities
Page 1 of 1
CVE-2018-11759P1HIGHCVSS 7.5ExploitedPoCfixed in libapache-mod-jk 1:1.2.46-1 (bookworm)2018
CVE-2018-11759 [HIGH] CVE-2018-11759: libapache-mod-jk - The Apache Web Server (httpd) specific code that normalised the requested path b...
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose a
debian
CVE-2007-0774P2MEDIUMCVSS 7.5PoCfixed in libapache-mod-jk 1:1.2.21-1 (bookworm)2007
CVE-2007-0774 [HIGH] CVE-2007-0774: libapache-mod-jk - Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_...
Stack-based buffer overflow in the map_uri_to_worker function (native/common/jk_uri_worker_map.c) in mod_jk.so for Apache Tomcat JK Web Server Connector 1.2.19 and 1.2.20, as used in Tomcat 4.1.34 and 5.5.20, allows remote attackers to execute arbitrary code via a long URL that triggers the overflow in a URI worker map routine.
Scope: local
bookworm: resolved
debian
CVE-2023-41081P3HIGHCVSS 7.5fixed in libapache-mod-jk 1:1.2.48-2+deb12u1 (bookworm)2023
CVE-2023-41081 [HIGH] CVE-2023-41081: libapache-mod-jk - Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache ...
Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined wo
debian
CVE-2014-8111P3MEDIUMCVSS 5.0fixed in libapache-mod-jk 1:1.2.40+svn150520-1 (bookworm)2014
CVE-2014-8111 [MEDIUM] CVE-2014-8111: libapache-mod-jk - Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subt...
Apache Tomcat Connectors (mod_jk) before 1.2.41 ignores JkUnmount rules for subtrees of previous JkMount rules, which allows remote attackers to access otherwise restricted artifacts via unspecified vectors.
Scope: local
bookworm: resolved (fixed in 1:1.2.40+svn150520-1)
bullseye: resolved (fixed in 1:1.2.40+svn150520-1)
forky: resolved (fixed in 1:1.2.40+s
debian
CVE-2007-1860P4MEDIUMCVSS 5.0fixed in libapache-mod-jk 1:1.2.23-1 (bookworm)2007
CVE-2007-1860 [MEDIUM] CVE-2007-1860: libapache-mod-jk - mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes requ...
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Scop
debian
CVE-2024-46544P4MEDIUMCVSS 5.9fixed in libapache-mod-jk 1:1.2.48-2+deb12u2 (bookworm)2024
CVE-2024-46544 [MEDIUM] CVE-2024-46544: libapache-mod-jk - Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows l...
Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the
debian
CVE-2008-5519P4LOWCVSS 2.6fixed in libapache-mod-jk 1:1.2.26-2.1 (bookworm)2008
CVE-2008-5519 [LOW] CVE-2008-5519: libapache-mod-jk - The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remot...
The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncomplianc
debian