CVE-2024-46544

EUVD-2024-41869

23.09.2024, 11:15

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.

This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.

Users are recommended to upgrade to version 1.2.50, which fixes the issue.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA-ADP	ADP	5.9 MEDIUM	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 11%

Affected Products (NVD)

Vendor	Product	Version
apache	tomcat_connectors	1.2.9 ≤ 𝑥 < 1.2.50
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

libapache-mod-jk

bookworm	1:1.2.48-2+deb12u2 fixed
bullseye	vulnerable
bullseye (security)	1:1.2.48-1+deb11u2 fixed
forky	1:1.2.50-1 fixed
sid	1:1.2.50-1 fixed
trixie	1:1.2.50-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

libapache-mod-jk

bionic	needs-triage
focal	needs-triage
jammy	needs-triage
noble	needs-triage
oracular	ignored
plucky	needs-triage
questing	needs-triage
xenial	needs-triage

Common Weakness Enumeration

CWE-276 - Incorrect Default Permissions
During installation, installed file permissions are set to allow anyone to modify those files.

References

https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d

http://www.openwall.com/lists/oss-security/2024/09/23/1

https://lists.debian.org/debian-lts-announce/2024/10/msg00010.html