CVE-2023-41081

Important: Authentication Bypass CVE-2023-41081

The mod_jk component of Apache Tomcat Connectorsin some circumstances, such as when a configuration included"JkOptions +ForwardDirectories" but the configuration did not       provide explicit mounts for all possible proxied requests, mod_jk would       use an implicit mapping and map the request to the first defined worker.Such an implicit mapping could result in the unintended exposure of thestatus worker and/or bypass security constraints configured in httpd. Asof JK 1.2.49, the implicit mapping functionality has been removed and allmappings must now be via explicit configuration.Only mod_jk is affectedby this issue. The ISAPI redirector is not affected.

This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.

Users are recommended to upgrade to version 1.2.49, which fixes the issue.

History
2023-09-13 Original advisory

2023-09-28 Updated summary
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
apacheCNA
---
---
CVEADP
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 5%
VendorProductVersion
apachetomcat_connectors
1.2.0 ≤
𝑥
< 1.2.49
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
libapache-mod-jk
bullseye
1:1.2.48-1+deb11u1
fixed
bullseye (security)
1:1.2.48-1+deb11u2
fixed
bookworm
1:1.2.48-2+deb12u1
fixed
sid
1:1.2.49-1
fixed
trixie
1:1.2.49-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
libapache-mod-jk
noble
not-affected
mantic
Fixed 1:1.2.48-2ubuntu0.1
released
lunar
ignored
jammy
Fixed 1:1.2.48-1ubuntu0.1
released
focal
Fixed 1:1.2.46-1ubuntu0.1
released
bionic
Fixed 1:1.2.43-1ubuntu0.1~esm1
released
xenial
Fixed 1:1.2.41-1ubuntu0.1~esm1
released
trusty
ignored
References
http://www.openwall.com/lists/oss-security/2023/09/28/7
https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
https://lists.debian.org/debian-lts-announce/2023/09/msg00027.html
https://www.openwall.com/lists/oss-security/2023/09/13/2
http://www.openwall.com/lists/oss-security/2023/09/28/7
https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b
https://lists.debian.org/debian-lts-announce/2023/09/msg00027.html
https://www.openwall.com/lists/oss-security/2023/09/13/2