CVE-2007-1860

Published May 25, 2007

Last updated 2 years ago

Overview

Description: mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
Source: secalert@redhat.com
NVD status: Modified

Hype score: Not currently trending

Risk scores

CVSS 2.0

Type: Primary
Base score: 5
Impact score: 2.9
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:N/A:N

Weaknesses

nvd@nist.gov: CWE-22

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:apache:tomcat_jk_web_server_connector:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "4B244B0D-0F1A-4A6C-9798-7F0A4AFB64E1",
            "versionEndIncluding": "1.2.22"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

References