#VU15703 Path traversal in Apache Tomcat JK ISAPI Connector - CVE-2018-11759
Published: November 3, 2018 / Updated: April 7, 2020
Vulnerability identifier: #VU15703
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/U:Green
CVE-ID: CVE-2018-11759
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Apache Tomcat JK ISAPI Connector
Apache Tomcat JK ISAPI Connector
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote attacker to perform path traversal attacks.
The vulnerability exists due to input validation error when matching requested path against URI-worker map in Apache Tomcat JK (mod_jk) Connector within the Apache Web Server (httpd) specific code. A remote attacker can send a specially crafted HTTP request to the affected system and expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy.
Remediation
Install updates from vendor's website.