CVE-2018-11759

mod_jk: connector path traversal due to mishandled HTTP requests in httpd

Severity Score

7.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

El código específico de Apache Web Server (httpd) que normalizaba la ruta antes de compararla con el mapa URI-worker en Apache Tomcat JK (mod_jk) Connector, desde la versión 1.2.0 hasta la 1.2.44, no gestionaba correctamente algunos casos extremos. Si solo un subconjunto de las URL soportadas por Tomcat estuviese expuesto mediante httpd, una petición especialmente construida podría exponer funcionalidades de la aplicación mediante el proxy inverso que no estaba pensado para que los clientes accediesen a la aplicación a través de él. En algunas configuraciones, también era posible que una petición especialmente construida omita los controles de acceso configurados en htttpd. Aunque existe cierto solapamiento entre este problema y CVE-2018-1323, no son idénticos.

Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent update experience. This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.29 Service Pack 1 serves as an update to Red Hat JBoss Core Services Apache HTTP Server 2.4.29, and includes bug fixes for CVEs which are linked to in the References section. Issues addressed include bypass, denial of service, null pointer, out of bounds write, traversal, and use-after-free vulnerabilities.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-06-05 CVE Reserved
2018-10-31 CVE Published
2018-12-11 First Exploit
2024-08-05 CVE Updated
2025-03-28 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CAPEC

References (18)

URL	Tag	Source
http://www.securityfocus.com/bid/105888	Third Party Advisory
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad%40%3Cannounce.tomcat.apache.org%3E	X_refsource_misc
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E	Mailing List
https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html	Mailing List
https://www.oracle.com/security-alerts/cpujan2020.html	X_refsource_misc

URL	Date	SRC
https://github.com/immunIT/CVE-2018-11759	2018-12-11
https://github.com/Jul10l1r4/Identificador-CVE-2018-11759	2019-01-21
https://github.com/julioliraup/Identificador-CVE-2018-11759	2019-01-21

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2019:0366	2023-11-07
https://access.redhat.com/errata/RHSA-2019:0367	2023-11-07
https://www.debian.org/security/2018/dsa-4357	2023-11-07
https://access.redhat.com/security/cve/CVE-2018-11759	2019-02-18
https://bugzilla.redhat.com/show_bug.cgi?id=1645589	2019-02-18

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apache Search vendor "Apache"		Tomcat Jk Connector Search vendor "Apache" for product "Tomcat Jk Connector"				>= 1.2.0 <= 1.2.44 Search vendor "Apache" for product "Tomcat Jk Connector" and version " >= 1.2.0 <= 1.2.44"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Jboss Core Services Search vendor "Redhat" for product "Jboss Core Services"				-		-		Affected