5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
64.4%
Important: Information disclosure CVE-2014-8111
Multiple adjacent slashes in a request URI were not collapsed to a single slash before comparing the request URI to the configured mount and unmount patterns. It is therefore possible for an attacker to use a request URI containing multiple adjacent slashes to bypass the restrictions of a JkUnmount directive. This may expose application functionality through the reverse proxy that is not intended for clients accessing the application via the reverse proxy.
As of mod_jk 1.2.41, slashes are collapsed by default. The behaviour is now configurable via a new JkOption for httpd (values CollapseSlashesAll, CollapseSlashesNone or CollapseSlashesUnmount) and via a new property collapse_slashes for IIS (values all, none, unmount).
This was fixed in revision 1647017.
Affects: JK 1.2.0-1.2.40
CPE | Name | Operator | Version |
---|---|---|---|
apache tomcat jk connectors | ge | 1.2.0 | |
apache tomcat jk connectors | le | 1.2.40 |