CVE-2018-1323

NameCVE-2018-1323
DescriptionThe IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache-mod-jk (PTS)bullseye1:1.2.48-1+deb11u1fixed
bullseye (security)1:1.2.48-1+deb11u2fixed
bookworm1:1.2.48-2+deb12u1fixed
sid, trixie1:1.2.49-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache-mod-jksource(unstable)(not affected)

Notes

- libapache-mod-jk <not-affected> (Windows/IIS vhost handling specific issue)
http://tomcat.apache.org/security-jk.html#Fixed_in_Apache_Tomcat_JK_Connector_1.2.43
Fixed by: http://svn.apache.org/r1825658
Search for package or bug name: Reporting problems