CVE-2018-11759

Name of the Vulnerable Software and Affected Versions Apache Tomcat JK (mod jk) Connector versions 1.2.0 through 1.2.44

Description The issue is related to the normalization of requested paths in the Apache Tomcat JK (mod jk) Connector, which did not handle some edge cases correctly. This could allow a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. Additionally, in some configurations, it was possible for a specially constructed request to bypass the access controls configured in the httpd server. The vulnerability is related to incorrect handling of boundary conditions, specifically the filtering of the ';' symbol, during the normalization of the requested path and its mapping to the URI-worker array in mod jk.

Recommendations For versions 1.2.0 through 1.2.44, consider disabling the mod jk connector until a patch is available to prevent potential exploitation. Restrict access to the reverse proxy to minimize the risk of bypassing access controls. Avoid using specially constructed requests that could expose application functionality or bypass access controls. At the moment, there is no information about a newer version that contains a fix for this vulnerability.