Fixed in Apache Tomcat JK Connector 1.2.49

Important: Information disclosure CVE-2023-41081

In some circumstances, such as when a configuration included JkOptions +ForwardDirectories but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected.

This was fixed with commit 0095b6cb.

This issue was reported to the Tomcat Security Team on 7 July 2023. The issue was made public on 13 September 2023.

Affects: JK 1.2.0-1.2.48 (mod_jk only)