{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-46544", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2024-09-11T07:19:56.829Z", "datePublished": "2024-09-23T10:43:57.123Z", "dateUpdated": "2024-10-31T19:59:53.770Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Apache Tomcat Connectors", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "1.2.49", "status": "affected", "version": "1.2.9-beta", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.</p><p>This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.<br></p><p>Users are recommended to upgrade to version 1.2.50, which fixes the issue.</p>"}], "value": "Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.\n\nThis issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.\n\nUsers are recommended to upgrade to version 1.2.50, which fixes the issue."}], "metrics": [{"other": {"content": {"text": "moderate"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-09-23T10:43:57.123Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d"}], "source": {"discovery": "UNKNOWN"}, "title": "Apache Tomcat Connectors: mod_jk: local users can view and modify configuration", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/23/1"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00010.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-14T21:02:40.154Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-23T17:36:05.907638Z", "id": "CVE-2024-46544", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-31T19:59:53.770Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/09/23/1"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00010.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-14T21:02:40.154Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-46544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-23T17:36:05.907638Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-23T17:36:10.855Z"}}], "cna": {"title": "Apache Tomcat Connectors: mod_jk: local users can view and modify configuration", "source": {"discovery": "UNKNOWN"}, "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "moderate"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Tomcat Connectors", "versions": [{"status": "affected", "version": "1.2.9-beta", "versionType": "semver", "lessThanOrEqual": "1.2.49"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.\n\nThis issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.\n\nUsers are recommended to upgrade to version 1.2.50, which fixes the issue.", "supportingMedia": [{"type": "text/html", "value": "<p>Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.</p><p>This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.<br></p><p>Users are recommended to upgrade to version 1.2.50, which fixes the issue.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-276", "description": "CWE-276 Incorrect Default Permissions"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2024-09-23T10:43:57.123Z"}}}, "cveMetadata": {"cveId": "CVE-2024-46544", "state": "PUBLISHED", "dateUpdated": "2024-10-31T19:59:53.770Z", "dateReserved": "2024-09-11T07:19:56.829Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2024-09-23T10:43:57.123Z", "assignerShortName": "apache"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:apache:tomcat_connectors:*:*:*:*:*:*:*:*", "matchCriteriaId": "904CA415-772A-4ECB-BCCB-DB4390E4F0D1", "versionEndExcluding": "1.2.50", "versionStartIncluding": "1.2.9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.\n\nThis issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.\n\nUsers are recommended to upgrade to version 1.2.50, which fixes the issue."}, {"lang": "es", "value": "La vulnerabilidad de permisos predeterminados incorrectos en los conectores Apache Tomcat permite a los usuarios locales ver y modificar la memoria compartida que contiene la configuraci\u00f3n de mod_jk, lo que puede provocar la divulgaci\u00f3n de informaci\u00f3n o la denegaci\u00f3n de servicio. Este problema afecta a los conectores Apache Tomcat: desde la versi\u00f3n 1.2.9-beta hasta la 1.2.49. Solo se ve afectado mod_jk en sistemas tipo Unix. Ni el redirector ISAPI ni mod_jk en Windows se ven afectados. Se recomienda a los usuarios que actualicen a la versi\u00f3n 1.2.50, que soluciona el problema."}], "id": "CVE-2024-46544", "lastModified": "2025-07-10T19:11:29.427", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 3.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-09-23T11:15:10.563", "references": [{"source": "security@apache.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2024/09/23/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00010.html"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-276"}], "source": "security@apache.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:6927", "cpe": "cpe:/a:redhat:jboss_core_services:1::el8", "package": "jbcs-httpd24-mod_jk-0:1.2.50-3.redhat_1.el8jbcs", "product_name": "JBoss Core Services for RHEL 8", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:6927", "cpe": "cpe:/a:redhat:jboss_core_services:1::el7", "package": "jbcs-httpd24-mod_jk-0:1.2.50-3.redhat_1.el7jbcs", "product_name": "JBoss Core Services on RHEL 7", "release_date": "2024-09-24T00:00:00Z"}, {"advisory": "RHSA-2024:7457", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "mod_jk-0:1.2.50-1.el9_4.1", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-10-01T00:00:00Z"}, {"advisory": "RHSA-2024:8928", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "mod_jk-0:1.2.50-1.el9_0.1", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-11-06T00:00:00Z"}, {"advisory": "RHSA-2024:8929", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "mod_jk-0:1.2.50-1.el9_2.1", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-11-06T00:00:00Z"}, {"advisory": "RHSA-2024:6928", "cpe": "cpe:/a:redhat:jboss_core_services:1", "package": "jbcs-httpd24-mod_jk", "product_name": "Text-Only JBCS", "release_date": "2024-09-24T00:00:00Z"}], "bugzilla": {"description": "mod_jk: information Disclosure / DoS", "id": "2314194", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2314194"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-276", "details": ["Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service.\nThis issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected.\nUsers are recommended to upgrade to version 1.2.50, which fixes the issue.", "An Incorrect Default Permissions vulnerability was found in Apache Tomcat Connectors that allows local users to view and modify shared memory containing mod_jk configuration, which may lead to information disclosure and denial of service."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-46544", "package_state": [{"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "mod_jk", "product_name": "Red Hat JBoss Core Services"}], "public_date": "2024-09-23T11:15:10Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-46544\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-46544\nhttps://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d"], "threat_severity": "Moderate"}

{}