CVE-2008-5519

Vulnerability Description

The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.

CVSS Score

Affected Products

Related Weaknesses (CWE)

References

• http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
• http://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%3C49DBBAC0.20
• http://marc.info/?l=tomcat-dev&m=123913700700879
• http://secunia.com/advisories/29283
• http://secunia.com/advisories/34621Vendor Advisory
• http://secunia.com/advisories/35537
• http://securitytracker.com/id?1022001
• http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1
• http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_Vendor Advisory
• http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/cExploitVendor Advisory
• http://svn.eu.apache.org/viewvc?view=rev&revision=702540Vendor Advisory
• http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.htmlVendor Advisory
• http://tomcat.apache.org/security-jk.htmlVendor Advisory
• http://www.debian.org/security/2009/dsa-1810
• http://www.openwall.com/lists/oss-security/2009/04/08/10