Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request
Description
Important: Authentication Bypass CVE-2023-41081
The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected.
This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.
Users are recommended to upgrade to version 1.2.49, which fixes the issue.
History 2023-09-13 Original advisory
2023-09-28 Updated summary
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
8>=1.2.0, <=1.2.48+ 1 more
- (no CPE)range: >=1.2.0, <=1.2.48
- (no CPE)range: 1.2.0
- osv-coords6 versionspkg:rpm/almalinux/mod_jkpkg:rpm/almalinux/mod_proxy_clusterpkg:rpm/opensuse/apache2-mod_jk&distro=openSUSE%20Leap%2015.6pkg:rpm/suse/apache2-mod_jk&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP6pkg:rpm/suse/apache2-mod_jk&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/apache2-mod_jk&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5
< 1.2.49-1.el9_4+ 5 more
- (no CPE)range: < 1.2.49-1.el9_4
- (no CPE)range: < 1.3.20-1.el9_4
- (no CPE)range: < 1.2.50-150100.6.12.1
- (no CPE)range: < 1.2.50-150100.6.12.1
- (no CPE)range: < 1.2.49-7.9.1
- (no CPE)range: < 1.2.49-7.9.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.