SB2018110301 - Path traversal in Apache Tomcat JK Connector
Published: November 3, 2018
Security Bulletin ID
SB2018110301
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Path traversal (CVE-ID: CVE-2018-11759)
The vulnerability allows a remote attacker to perform path traversal attacks.
The vulnerability exists due to input validation error when matching requested path against URI-worker map in Apache Tomcat JK (mod_jk) Connector within the Apache Web Server (httpd) specific code. A remote attacker can send a specially crafted HTTP request to the affected system and expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy.
Remediation
Install update from vendor's website.