Path traversal in Apache Tomcat JK ISAPI Connector - CVE-2018-11759
Published: November 3, 2018 / Updated: April 7, 2020
Vulnerability identifier: #VU15703
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2018-11759
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vendor: Apache Foundation
Affected software:
Apache Tomcat JK ISAPI Connector
Apache Tomcat JK ISAPI Connector
Detailed vulnerability description
The vulnerability allows a remote attacker to perform path traversal attacks.
The vulnerability exists due to input validation error when matching requested path against URI-worker map in Apache Tomcat JK (mod_jk) Connector within the Apache Web Server (httpd) specific code. A remote attacker can send a specially crafted HTTP request to the affected system and expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy.
How to mitigate CVE-2018-11759
Install updates from vendor's website.