CVSS: 7.5EPSS: 94%CPEs: 4EXPL: 3CVE-2018-11759 – mod_jk: connector path traversal due to mishandled HTTP requests in httpd
https://notcve.org/view.php?id=CVE-2018-11759
31 Oct 2018 — The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possibl... • https://github.com/immunIT/CVE-2018-11759 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 56%CPEs: 1EXPL: 0CVE-2018-1323 – isapi_redirect: Mishandled HTTP request paths in jk_isapi_plugin.c can lead to unintended exposure of application resources via the reverse proxy
https://notcve.org/view.php?id=CVE-2018-1323
12 Mar 2018 — The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy. El código específico IIS/ISAPI en Apache Tomc... • http://www.securityfocus.com/bid/103389 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 34%CPEs: 1EXPL: 1CVE-2016-6808 – mod_jk: Buffer overflow when concatenating virtual host name and URI
https://notcve.org/view.php?id=CVE-2016-6808
11 Oct 2016 — Buffer overflow in Apache Tomcat Connectors (mod_jk) before 1.2.42. Desbordamiento de búfer en los Apache Tomcat Connectors (mod_jk) en versiones anteriores a 1.2.42. It was found that the length checks prior to writing to the target buffer for creating a virtual host mapping rule did not take account of the length of the virtual host name, creating the potential for a buffer overflow. This release adds the new Apache HTTP Server 2.4.23 packages that are part of the JBoss Core Services offering. This releas... • http://packetstormsecurity.com/files/139071/Apache-Tomcat-JK-ISAPI-Connector-1.2.41-Buffer-Overflow.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •