CVE-2018-11759 — HIGH (7.5)

Q: How severe is CVE-2018-11759?

CVE-2018-11759 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-11759?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat Jk Connector, Debian Debian Linux, Redhat Jboss Core Services.

Vulnerability Description

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Apache	Tomcat Jk Connector	>= 1.2.0, <= 1.2.44
Debian	Debian Linux	8.0
Redhat	Jboss Core Services	-

Related Weaknesses (CWE)

CWE-22

References

http://www.securityfocus.com/bid/105888Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:0366Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:0367Third Party Advisory
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a
https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade0
https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08
https://lists.debian.org/debian-lts-announce/2018/12/msg00007.htmlMailing ListThird Party Advisory
https://www.debian.org/security/2018/dsa-4357Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2020.html
http://www.securityfocus.com/bid/105888Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2019:0366Third Party Advisory

FAQ

What is CVE-2018-11759?

CVE-2018-11759 is a vulnerability with a CVSS score of 7.5 (HIGH). The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge ...

How severe is CVE-2018-11759?

CVE-2018-11759 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-11759?

Check the references section above for vendor advisories and patch information. Affected products include: Apache Tomcat Jk Connector, Debian Debian Linux, Redhat Jboss Core Services.