CVE-2018-1323 Apache Tomcat JK ISAPI Connector path traversal Severity: Important
Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 Description The IIS/ISAPI specific code that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. Mitigation Users of affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat JK ISAPI Connector 1.2.43 or later. - Use alternative measures (e.g. the remote address filter) to restrict access to trusted users. Credit: This issue was discovered by Alphan Yavas from Biznet Bilisim A.S. and reported responsibly to the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-jk.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
