Executive Summary
This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
| Summary | |
|---|---|
| Title | New libapache-mod-jk packages fix information disclosure |
| Informations | |||
|---|---|---|---|
| Name | DSA-1312 | First vendor Publication | 2007-06-18 |
| Vendor | Debian | Last vendor Modification | 2007-06-18 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:N/A:N) | |||
|---|---|---|---|
| Cvss Base Score | 5 | Attack Range | Network |
| Cvss Impact Score | 2.9 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| It was discovered that the Apache 1.3 connector for the Tomcat Java servlet engine decoded request URLs multiple times, which can lead to information disclosure. For the oldstable distribution (sarge) this problem has been fixed in version 1.2.5-2sarge1. An updated package for powerpc is not yet available due to problems with the build host. It will be provided later. For the stable distribution (etch) this problem has been fixed in version 1.2.18-3etch1. For the unstable distribution (sid) this problem has been fixed in version 1.2.23-1. We recommend that you upgrade your libapache-mod-jk package. |
Original Source
| Url : http://www.debian.org/security/2007/dsa-1312 |
CWE : Common Weakness Enumeration
| % | Id | Name |
|---|---|---|
| 100 % | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25) |
OVAL Definitions
| Definition Id: oval:org.mitre.oval:def:18548 | |||
| Oval ID: | oval:org.mitre.oval:def:18548 | ||
| Title: | DSA-1312-1 libapache-mod-jk | ||
| Description: | It was discovered that the Apache 1.3 connector for the Tomcat Java servlet engine decoded request URLs multiple times, which can lead to information disclosure. | ||
| Family: | unix | Class: | patch |
| Reference(s): | DSA-1312-1 CVE-2007-1860 | Version: | 5 |
| Platform(s): | Debian GNU/Linux 4.0 | Product(s): | libapache-mod-jk |
| Definition Synopsis: | |||
| Definition Id: oval:org.mitre.oval:def:6002 | |||
| Oval ID: | oval:org.mitre.oval:def:6002 | ||
| Title: | HP-UX running Apache, Remote Arbitrary Code Execution, Cross Site Scripting (XSS) | ||
| Description: | mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450. | ||
| Family: | unix | Class: | vulnerability |
| Reference(s): | CVE-2007-1860 | Version: | 9 |
| Platform(s): | HP-UX 11 | Product(s): | |
| Definition Synopsis: | |||
| |||
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 2 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2009-10-10 | Name : SLES9: Security update for Tomcat File : nvt/sles9p5021793.nasl |
| 2009-05-05 | Name : HP-UX Update for Apache HPSBUX02262 File : nvt/gb_hp_ux_HPSBUX02262.nasl |
| 2008-09-24 | Name : Gentoo Security Advisory GLSA 200708-15 (mod_jk) File : nvt/glsa_200708_15.nasl |
| 2008-09-04 | Name : FreeBSD Ports: mod_jk File : nvt/freebsd_mod_jk.nasl |
| 2008-01-17 | Name : Debian Security Advisory DSA 1312-1 (libapache-mod-jk) File : nvt/deb_1312_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 34877 | Apache Tomcat JK Web Server Connector (mod_jk) Double Encoded Traversal Arbit... Apache Tomcat JK Web Server Connector contains a flaw that allows a remote attacker to access files on the AJP back-end outside of the web root. The issue is due to a failure of handling double encoded ".." in a URL, specifically directory traversal style attacks. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0261.nasl - Type : ACT_GATHER_INFO |
| 2010-01-10 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2008-0524.nasl - Type : ACT_GATHER_INFO |
| 2009-09-24 | Name : The remote SuSE 9 host is missing a security-related patch. File : suse9_12078.nasl - Type : ACT_GATHER_INFO |
| 2008-03-04 | Name : The remote openSUSE host is missing a security update. File : suse_apache2-mod_jk-4997.nasl - Type : ACT_GATHER_INFO |
| 2008-02-29 | Name : The remote openSUSE host is missing a security update. File : suse_apache2-mod_jk-4992.nasl - Type : ACT_GATHER_INFO |
| 2008-02-27 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_tomcat5-4990.nasl - Type : ACT_GATHER_INFO |
| 2007-08-21 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200708-15.nasl - Type : ACT_GATHER_INFO |
| 2007-08-02 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-007.nasl - Type : ACT_GATHER_INFO |
| 2007-06-21 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1312.nasl - Type : ACT_GATHER_INFO |
| 2007-06-05 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_d9405748134211dca35c001485ab073e.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:26:42 |
|
