DescriptionThe IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libapache-mod-jk (PTS)buster1:1.2.46-1+deb10u1fixed
buster (security)1:1.2.46-1+deb10u2fixed
sid, trixie1:1.2.49-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libapache-mod-jksource(unstable)(not affected)


- libapache-mod-jk <not-affected> (Windows/IIS vhost handling specific issue)
Fixed by:

Search for package or bug name: Reporting problems