CVE - CVE-2007-1860

CVE-ID
CVE-2007-1860	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
APPLE:APPLE-SA-2007-07-31 URL:http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html BID:24147 URL:http://www.securityfocus.com/bid/24147 BID:25159 URL:http://www.securityfocus.com/bid/25159 CONFIRM:http://docs.info.apple.com/article.html?artnum=306172 CONFIRM:http://tomcat.apache.org/security-jk.html DEBIAN:DSA-1312 URL:http://www.debian.org/security/2007/dsa-1312 GENTOO:GLSA-200708-15 URL:http://security.gentoo.org/glsa/glsa-200708-15.xml HP:HPSBUX02262 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 HP:SSRT071447 URL:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 MISC:http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1 MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ URL:https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E MLIST:[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ URL:https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ URL:https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E MLIST:[tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ URL:https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935@%3Cdev.tomcat.apache.org%3E MLIST:[tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ URL:https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925@%3Cdev.tomcat.apache.org%3E MLIST:[tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ URL:https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4@%3Cdev.tomcat.apache.org%3E OSVDB:34877 URL:http://www.osvdb.org/34877 OVAL:oval:org.mitre.oval:def:6002 URL:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002 REDHAT:RHSA-2007:0379 URL:http://www.redhat.com/support/errata/RHSA-2007-0379.html REDHAT:RHSA-2008:0261 URL:http://www.redhat.com/support/errata/RHSA-2008-0261.html SECTRACK:1018138 URL:http://www.securitytracker.com/id?1018138 SECUNIA:25383 URL:http://secunia.com/advisories/25383 SECUNIA:25701 URL:http://secunia.com/advisories/25701 SECUNIA:26235 URL:http://secunia.com/advisories/26235 SECUNIA:26512 URL:http://secunia.com/advisories/26512 SECUNIA:27037 URL:http://secunia.com/advisories/27037 SECUNIA:29242 URL:http://secunia.com/advisories/29242 SUSE:SUSE-SR:2008:005 URL:http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html VUPEN:ADV-2007-1941 URL:http://www.vupen.com/english/advisories/2007/1941 VUPEN:ADV-2007-2732 URL:http://www.vupen.com/english/advisories/2007/2732 VUPEN:ADV-2007-3386 URL:http://www.vupen.com/english/advisories/2007/3386 XF:tomcat-jkconnector-security-bypass(34496) URL:https://exchange.xforce.ibmcloud.com/vulnerabilities/34496
Assigning CNA
Red Hat, Inc.
Date Entry Created
20070404	Disclaimer: The entry creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20070404)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an entry on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select “Other” from dropdown)