{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-41081", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2023-08-22T18:35:12.615Z", "datePublished": "2023-09-13T09:30:05.584Z", "dateUpdated": "2024-08-02T18:46:11.826Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat Connectors", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.2.48", "status": "affected", "version": "1.2.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Karl von Randow"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div><p>Important: Authentication Bypass CVE-2023-41081\n<br>\n</p><p>The mod_jk component of <span style=\"background-color: rgb(255, 255, 255);\">Apache Tomcat Connectors&nbsp;</span>in some circumstances, such as when a configuration included&nbsp;\"JkOptions +ForwardDirectories\" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker.&nbsp;<span style=\"background-color: var(--wht);\">Such an implicit mapping could result in the unintended exposure of the&nbsp;</span><span style=\"background-color: var(--wht);\">status worker and/or bypass security constraints configured in httpd. As&nbsp;</span><span style=\"background-color: var(--wht);\">of JK 1.2.49, the implicit mapping functionality has been removed and all&nbsp;</span><span style=\"background-color: var(--wht);\">mappings must now be via explicit configuration.&nbsp;</span><span style=\"background-color: var(--wht);\">Only mod_jk is affected&nbsp;</span><span style=\"background-color: var(--wht);\">by this issue. The ISAPI redirector is not affected.</span></p></div><p>This issue affects Apache Tomcat Connectors <span style=\"background-color: rgb(255, 255, 255);\">(mod_jk only)</span>: from 1.2.0 through 1.2.48.</p><p>Users are recommended to upgrade to version 1.2.49, which fixes the issue.</p><h2>History<br></h2><h2></h2><p>2023-09-13 Original advisory\n<br>2023-09-28 Updated summary<br></p>"}], "value": "Important: Authentication Bypass CVE-2023-41081\n\nThe mod_jk component of Apache Tomcat Connectors\u00a0in some circumstances, such as when a configuration included\u00a0\"JkOptions +ForwardDirectories\" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker.\u00a0Such an implicit mapping could result in the unintended exposure of the\u00a0status worker and/or bypass security constraints configured in httpd. As\u00a0of JK 1.2.49, the implicit mapping functionality has been removed and all\u00a0mappings must now be via explicit configuration.\u00a0Only mod_jk is affected\u00a0by this issue. The ISAPI redirector is not affected.\n\nThis issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.\n\nUsers are recommended to upgrade to version 1.2.49, which fixes the issue.\n\nHistory\n2023-09-13 Original advisory\n\n2023-09-28 Updated summary\n\n"}], "metrics": [{"other": {"content": {"text": "important"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"description": "Unexpected default behaviour", "lang": "en"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2023-09-28T21:30:57.072Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b"}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/13/2"}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00027.html"}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/28/7"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:46:11.826Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b"}, {"url": "https://www.openwall.com/lists/oss-security/2023/09/13/2", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00027.html", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/09/28/7", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat_connectors:*:*:*:*:*:*:*:*", "matchCriteriaId": "9349521D-9E00-44E9-A1FF-E12C299CFEFA", "versionEndExcluding": "1.2.49", "versionStartIncluding": "1.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Important: Authentication Bypass CVE-2023-41081\n\nThe mod_jk component of Apache Tomcat Connectors\u00a0in some circumstances, such as when a configuration included\u00a0\"JkOptions +ForwardDirectories\" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker.\u00a0Such an implicit mapping could result in the unintended exposure of the\u00a0status worker and/or bypass security constraints configured in httpd. As\u00a0of JK 1.2.49, the implicit mapping functionality has been removed and all\u00a0mappings must now be via explicit configuration.\u00a0Only mod_jk is affected\u00a0by this issue. The ISAPI redirector is not affected.\n\nThis issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.\n\nUsers are recommended to upgrade to version 1.2.49, which fixes the issue.\n\nHistory\n2023-09-13 Original advisory\n\n2023-09-28 Updated summary\n\n"}, {"lang": "es", "value": "Importante: Omisi\u00f3n de Autenticaci\u00f3n CVE-2023-41081. El componente mod_jk de Apache Tomcat Connectors en algunas circunstancias, como cuando una configuraci\u00f3n inclu\u00eda \"JkOptions +ForwardDirectories\" pero la configuraci\u00f3n no proporcionaba mounts expl\u00edcitos para todas las posibles solicitudes de proxy, mod_jk usar\u00eda un mapeo impl\u00edcito y mapear\u00eda la solicitud al primer worker definido. Un mapeo impl\u00edcito de este tipo podr\u00eda dar como resultado la exposici\u00f3n no deseada del estado del worker y/o eludir las restricciones de seguridad configuradas en httpd. A partir de JK 1.2.49, la funcionalidad de asignaci\u00f3n impl\u00edcita se elimin\u00f3 y todas las asignaciones ahora deben realizarse mediante una configuraci\u00f3n expl\u00edcita. S\u00f3lo mod_jk se ve afectado por este problema. El redirector ISAPI no se ve afectado. Este problema afecta a los conectores Apache Tomcat (solo mod_jk): desde la versi\u00f3n 1.2.0 hasta la 1.2.48. Se recomienda a los usuarios actualizar a la versi\u00f3n 1.2.49, que soluciona el problema. Historia: 2023-09-13. Aviso original: 2023-09-28. Resumen actualizado"}], "id": "CVE-2023-41081", "lastModified": "2023-09-29T00:15:12.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-13T10:15:07.657", "references": [{"source": "security@apache.org", "url": "http://www.openwall.com/lists/oss-security/2023/09/28/7"}, {"source": "security@apache.org", "tags": ["Mailing List"], "url": "https://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b"}, {"source": "security@apache.org", "url": "https://lists.debian.org/debian-lts-announce/2023/09/msg00027.html"}, {"source": "security@apache.org", "url": "https://www.openwall.com/lists/oss-security/2023/09/13/2"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:7625", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.49-1.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2023:7625", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.49-1.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2023-12-07T00:00:00Z"}, {"advisory": "RHSA-2024:2387", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "mod_jk-0:1.2.49-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-04-30T00:00:00Z"}, {"advisory": "RHSA-2023:7626", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-mod_jk", "product_name": "Red Hat JBoss Core Services 1", "release_date": "2023-12-07T00:00:00Z"}], "bugzilla": {"description": "httpd: Apache Tomcat Connectors (mod_jk) Information Disclosure", "id": "2238847", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238847"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-202", "details": ["Important: Authentication Bypass CVE-2023-41081\nThe mod_jk component of Apache Tomcat Connectors\u00a0in some circumstances, such as when a configuration included\u00a0\"JkOptions +ForwardDirectories\" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker.\u00a0Such an implicit mapping could result in the unintended exposure of the\u00a0status worker and/or bypass security constraints configured in httpd. As\u00a0of JK 1.2.49, the implicit mapping functionality has been removed and all\u00a0mappings must now be via explicit configuration.\u00a0Only mod_jk is affected\u00a0by this issue. The ISAPI redirector is not affected.\nThis issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.\nUsers are recommended to upgrade to version 1.2.49, which fixes the issue.\nHistory\n2023-09-13 Original advisory\n2023-09-28 Updated summary", "A vulnerability was found in Apache Tomcat Connectors (mod_jk). Affected versions of this package are vulnerable to information exposure in the mod_jk component. This flaw allows an attacker to exploit the implicit mapping functionality, resulting in the unintended exposure of the status worker and bypassing security constraints configured in httpd."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-41081", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Out of support scope", "package_name": "mod_jk", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}], "public_date": "2023-09-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-41081\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-41081\nhttps://lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b"], "threat_severity": "Moderate", "upstream_fix": "httpd 1.2.49"}