Vulnerability-Lookup

CVE-2007-1860 (GCVE-0-2007-1860)

Vulnerability from cvelistv5 – Published: 2007-05-25 18:00 – Updated: 2024-08-07 13:13

Summary

mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.

Severity

No CVSS data available.

CWE

Assigner

redhat

References

35 references

URL	Tags
http://www.debian.org/security/2007/dsa-1312	vendor-advisoryx_refsource_DEBIAN
http://www.vupen.com/english/advisories/2007/2732	vdb-entryx_refsource_VUPEN
https://oval.cisecurity.org/repository/search/def…	vdb-entrysignaturex_refsource_OVAL
http://secunia.com/advisories/25701	third-party-advisoryx_refsource_SECUNIA
http://secunia.com/advisories/29242	third-party-advisoryx_refsource_SECUNIA
http://www.securityfocus.com/bid/24147	vdb-entryx_refsource_BID
http://secunia.com/advisories/25383	third-party-advisoryx_refsource_SECUNIA
http://lists.apple.com/archives/security-announce…	vendor-advisoryx_refsource_APPLE
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://www.osvdb.org/34877	vdb-entryx_refsource_OSVDB
http://www.vupen.com/english/advisories/2007/1941	vdb-entryx_refsource_VUPEN
http://security.gentoo.org/glsa/glsa-200708-15.xml	vendor-advisoryx_refsource_GENTOO
http://www.redhat.com/support/errata/RHSA-2007-03…	vendor-advisoryx_refsource_REDHAT
http://www.vupen.com/english/advisories/2007/3386	vdb-entryx_refsource_VUPEN
http://www.securitytracker.com/id?1018138	vdb-entryx_refsource_SECTRACK
http://secunia.com/advisories/27037	third-party-advisoryx_refsource_SECUNIA
http://docs.info.apple.com/article.html?artnum=306172	x_refsource_CONFIRM
http://secunia.com/advisories/26512	third-party-advisoryx_refsource_SECUNIA
http://h20000.www2.hp.com/bizsupport/TechSupport/…	vendor-advisoryx_refsource_HP
http://tomcat.apache.org/connectors-doc/news/2007…	x_refsource_MISC
http://h20000.www2.hp.com/bizsupport/TechSupport/…	vendor-advisoryx_refsource_HP
http://tomcat.apache.org/security-jk.html	x_refsource_CONFIRM
http://www.securityfocus.com/bid/25159	vdb-entryx_refsource_BID
http://www.redhat.com/support/errata/RHSA-2008-02…	vendor-advisoryx_refsource_REDHAT
https://exchange.xforce.ibmcloud.com/vulnerabilit…	vdb-entryx_refsource_XF
http://secunia.com/advisories/26235	third-party-advisoryx_refsource_SECUNIA
https://lists.apache.org/thread.html/ba661b0edd91…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/29dc6c2b6257…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/8d2a579bbd97…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/c62b0e3a7bf2…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/277d42b48b6e…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/5b7a23e245c9…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rf8e8c091182…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/rb71997f506c…	mailing-listx_refsource_MLIST
https://lists.apache.org/thread.html/r5c616dfc491…	mailing-listx_refsource_MLIST

Date Public

2007-05-18 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T13:13:41.369Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DSA-1312",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "http://www.debian.org/security/2007/dsa-1312"
          },
          {
            "name": "ADV-2007-2732",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/2732"
          },
          {
            "name": "oval:org.mitre.oval:def:6002",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002"
          },
          {
            "name": "25701",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/25701"
          },
          {
            "name": "29242",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/29242"
          },
          {
            "name": "24147",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/24147"
          },
          {
            "name": "25383",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/25383"
          },
          {
            "name": "APPLE-SA-2007-07-31",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
          },
          {
            "name": "SUSE-SR:2008:005",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
          },
          {
            "name": "34877",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/34877"
          },
          {
            "name": "ADV-2007-1941",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/1941"
          },
          {
            "name": "GLSA-200708-15",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "http://security.gentoo.org/glsa/glsa-200708-15.xml"
          },
          {
            "name": "RHSA-2007:0379",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2007-0379.html"
          },
          {
            "name": "ADV-2007-3386",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2007/3386"
          },
          {
            "name": "1018138",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1018138"
          },
          {
            "name": "27037",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/27037"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://docs.info.apple.com/article.html?artnum=306172"
          },
          {
            "name": "26512",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/26512"
          },
          {
            "name": "SSRT071447",
            "tags": [
              "vendor-advisory",
              "x_refsource_HP",
              "x_transferred"
            ],
            "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
          },
          {
            "name": "HPSBUX02262",
            "tags": [
              "vendor-advisory",
              "x_refsource_HP",
              "x_transferred"
            ],
            "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://tomcat.apache.org/security-jk.html"
          },
          {
            "name": "25159",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/25159"
          },
          {
            "name": "RHSA-2008:0261",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
          },
          {
            "name": "tomcat-jkconnector-security-bypass(34496)",
            "tags": [
              "vdb-entry",
              "x_refsource_XF",
              "x_transferred"
            ],
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496"
          },
          {
            "name": "26235",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/26235"
          },
          {
            "name": "[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2007-05-18T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-13T16:10:20.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "DSA-1312",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "http://www.debian.org/security/2007/dsa-1312"
        },
        {
          "name": "ADV-2007-2732",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/2732"
        },
        {
          "name": "oval:org.mitre.oval:def:6002",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002"
        },
        {
          "name": "25701",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/25701"
        },
        {
          "name": "29242",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/29242"
        },
        {
          "name": "24147",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/24147"
        },
        {
          "name": "25383",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/25383"
        },
        {
          "name": "APPLE-SA-2007-07-31",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
        },
        {
          "name": "SUSE-SR:2008:005",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
        },
        {
          "name": "34877",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/34877"
        },
        {
          "name": "ADV-2007-1941",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/1941"
        },
        {
          "name": "GLSA-200708-15",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "http://security.gentoo.org/glsa/glsa-200708-15.xml"
        },
        {
          "name": "RHSA-2007:0379",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2007-0379.html"
        },
        {
          "name": "ADV-2007-3386",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2007/3386"
        },
        {
          "name": "1018138",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1018138"
        },
        {
          "name": "27037",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/27037"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://docs.info.apple.com/article.html?artnum=306172"
        },
        {
          "name": "26512",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/26512"
        },
        {
          "name": "SSRT071447",
          "tags": [
            "vendor-advisory",
            "x_refsource_HP"
          ],
          "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
        },
        {
          "name": "HPSBUX02262",
          "tags": [
            "vendor-advisory",
            "x_refsource_HP"
          ],
          "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://tomcat.apache.org/security-jk.html"
        },
        {
          "name": "25159",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/25159"
        },
        {
          "name": "RHSA-2008:0261",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
        },
        {
          "name": "tomcat-jkconnector-security-bypass(34496)",
          "tags": [
            "vdb-entry",
            "x_refsource_XF"
          ],
          "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496"
        },
        {
          "name": "26235",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/26235"
        },
        {
          "name": "[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2007-1860",
    "datePublished": "2007-05-25T18:00:00.000Z",
    "dateReserved": "2007-04-04T00:00:00.000Z",
    "dateUpdated": "2024-08-07T13:13:41.369Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2007-1860",
      "date": "2026-05-27",
      "epss": "0.24507",
      "percentile": "0.96196"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat_jk_web_server_connector:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.2.22\", \"matchCriteriaId\": \"4B244B0D-0F1A-4A6C-9798-7F0A4AFB64E1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.\"}, {\"lang\": \"es\", \"value\": \"El componente mod_jk en Apache Tomcat JK Web Server Connector versi\\u00f3n 1.2. x anterior a 1.2.23, descodifica las URL de petici\\u00f3n dentro del servidor Apache HTTP antes de pasar la URL a Tomcat, lo que permite a los atacantes remotos acceder a p\\u00e1ginas protegidas por medio de un JkMount prefijado y creado, posiblemente involucrando secuencias double-encoded.. (punto punto) y el salto de directorio (directory traversal), un problema relacionado a CVE-2007-0450.\"}]",
      "id": "CVE-2007-1860",
      "lastModified": "2024-11-21T00:29:19.720",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2007-05-25T18:30:00.000",
      "references": "[{\"url\": \"http://docs.info.apple.com/article.html?artnum=306172\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://secunia.com/advisories/25383\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/25701\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/26235\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/26512\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/27037\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/29242\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200708-15.xml\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://tomcat.apache.org/security-jk.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.debian.org/security/2007/dsa-1312\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.osvdb.org/34877\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2007-0379.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2008-0261.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/24147\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/25159\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securitytracker.com/id?1018138\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.vupen.com/english/advisories/2007/1941\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2007/2732\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2007/3386\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/34496\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://docs.info.apple.com/article.html?artnum=306172\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://secunia.com/advisories/25383\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/25701\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/26235\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/26512\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/27037\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/29242\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://security.gentoo.org/glsa/glsa-200708-15.xml\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://tomcat.apache.org/security-jk.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"http://www.debian.org/security/2007/dsa-1312\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.osvdb.org/34877\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2007-0379.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.redhat.com/support/errata/RHSA-2008-0261.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/24147\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/25159\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securitytracker.com/id?1018138\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.vupen.com/english/advisories/2007/1941\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2007/2732\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.vupen.com/english/advisories/2007/3386\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"https://exchange.xforce.ibmcloud.com/vulnerabilities/34496\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2007-1860\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2007-05-25T18:30:00.000\",\"lastModified\":\"2026-04-23T00:35:47.467\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.\"},{\"lang\":\"es\",\"value\":\"El componente mod_jk en Apache Tomcat JK Web Server Connector versi\u00f3n 1.2. x anterior a 1.2.23, descodifica las URL de petici\u00f3n dentro del servidor Apache HTTP antes de pasar la URL a Tomcat, lo que permite a los atacantes remotos acceder a p\u00e1ginas protegidas por medio de un JkMount prefijado y creado, posiblemente involucrando secuencias double-encoded.. (punto punto) y el salto de directorio (directory traversal), un problema relacionado a CVE-2007-0450.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat_jk_web_server_connector:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.2.22\",\"matchCriteriaId\":\"4B244B0D-0F1A-4A6C-9798-7F0A4AFB64E1\"}]}]}],\"references\":[{\"url\":\"http://docs.info.apple.com/article.html?artnum=306172\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/25383\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/25701\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/26235\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/26512\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/27037\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/29242\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200708-15.xml\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://tomcat.apache.org/security-jk.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.debian.org/security/2007/dsa-1312\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.osvdb.org/34877\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2007-0379.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2008-0261.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/24147\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/25159\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securitytracker.com/id?1018138\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.vupen.com/english/advisories/2007/1941\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2007/2732\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2007/3386\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/34496\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://docs.info.apple.com/article.html?artnum=306172\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://secunia.com/advisories/25383\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/25701\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/26235\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/26512\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/27037\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/29242\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://security.gentoo.org/glsa/glsa-200708-15.xml\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://tomcat.apache.org/security-jk.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.debian.org/security/2007/dsa-1312\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.osvdb.org/34877\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2007-0379.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.redhat.com/support/errata/RHSA-2008-0261.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/24147\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/25159\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id?1018138\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2007/1941\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2007/2732\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.vupen.com/english/advisories/2007/3386\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://exchange.xforce.ibmcloud.com/vulnerabilities/34496\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

CERTA-2007-AVI-229

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité de mod_jk permet à un utilisateur malveillant de contourner la politique de sécurité.

Description

Une mauvaise gestion du codage des deux points (« .. ») est exploitable par un utilisateur malveillant pour utiliser des ressources auxquelles il ne devrait pas accéder.

Solution

La version 1.2.23 de mod_jk corrige le problème. Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Le correctif peut induire des incompatibilités avec le composant mod_rewrite.

mod_jk, versions 1.2.22 et antérieures.

Ce composant est livré avec Tomcat, versions :

4.0.1 à 4.0.6 ;
5.0.0 à 5.0.30 ;
5.5.0 à 5.5.23.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de version de Tomcat du 18 mai 2007	None	vendor-advisory
Bulletin de version Tomcat du 18 mai 2007 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cTT\u003emod_jk\u003c/TT\u003e, versions 1.2.22 et  ant\u00e9rieures.  \u003cP\u003eCe composant est livr\u00e9 avec \u003cSPAN class=\n  \"textit\"\u003eTomcat\u003c/SPAN\u003e, versions :\u003c/P\u003e  \u003cUL\u003e    \u003cLI\u003e4.0.1 \u00e0 4.0.6 ;\u003c/LI\u003e    \u003cLI\u003e5.0.0 \u00e0 5.0.30 ;\u003c/LI\u003e    \u003cLI\u003e5.5.0 \u00e0 5.5.23.\u003c/LI\u003e  \u003c/UL\u003e",
  "content": "## Description\n\nUne mauvaise gestion du codage des deux points (\u00ab .. \u00bb) est exploitable\npar un utilisateur malveillant pour utiliser des ressources auxquelles\nil ne devrait pas acc\u00e9der.\n\n## Solution\n\nLa version 1.2.23 de mod_jk corrige le probl\u00e8me. Se r\u00e9f\u00e9rer au bulletin\nde s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section\nDocumentation).\n\nLe correctif peut induire des incompatibilit\u00e9s avec le composant\nmod_rewrite.\n",
  "cves": [
    {
      "name": "CVE-2007-1860",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1860"
    }
  ],
  "links": [
    {
      "title": "Bulletin de version Tomcat du 18 mai 2007 :",
      "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
    }
  ],
  "reference": "CERTA-2007-AVI-229",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2007-05-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 de mod_jk permet \u00e0 un utilisateur malveillant de\ncontourner la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Tomcat",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de version de Tomcat du 18 mai 2007",
      "url": null
    }
  ]
}

CERTA-2007-AVI-340

Vulnerability from certfr_avis - Published: - Updated:

Plusieurs vulnérabilités ont été identifiées : elles concernent le système d'exploitation Mac OS X. L'exploitation de ces dernières peut avoir des conséquences variées, comme l'exécution de code arbitraire, ou un dysfonctionnement du système vulnérable.

Description

Plusieurs vulnérabilités ont été identifiées dans le système d'exploitation Mac OS X. Parmi celles-ci :

bzip2 : un nom d'archive malicieusement formé permet l'exécution de code arbitraire à distance ;
CFNetwork : un clic sur une addresse malicieusement formée permet l'exécution de commandes FTP arbitraires à distance ;
CoreAudio : une page Web malicieusement créée permet à l'aide d'une applet Java d'exécuter du code arbitraire à distance;
cscope : des vulnérabilités concernant un dépassement de mémoire et la création de fichiers temporaires dangereux ont été corrigées ;
gnuzip : un nom d'archive malicieusement formé permet l'exécution de code arbitraire à distance ;
iChat : un dépassement de mémoire permet de provoquer un déni de service à distance ou l'exécution de code arbitraire à distance au sein d'un même sous réseau ;
Kerberos : des vulnérabilités pouvant provoquer un déni de service ou l'exécution de code arbitraire à distance ont été corrigées ;
mDNSResponder : un dépassement de mémoire permet de provoquer un déni de service à distance ou l'exécution de code arbitraire à distance au sein d'un même sous réseau ;
PDFKit : l'ouverture d'un document malicieusement créé permet un déni de service de l'application ou l'exécution de code arbitraire ;
PHP : plusieurs vulnérabilités touchant PHP 4.4.4 ont été corrigées ;
Quartz Composer : l'ouverture d'un fichier Quartz malicieusement créé permet un déni de service de l'application ou l'exécution de code arbitraire ;
Samba : lorsque le partage de fichiers Windows est activé, un utilisateur non authentifié peut, à distance, provoquer un déni de service, exécuter du code ou des commandes arbitraires et contourner la politique de sécurité ;
SquirrelMail : plusieurs vulnérabilités dont au moins une permettant une attaque de type cross-site scripting ont été corrigées ;
Tomcat : plusieurs vulnérabilités dont certaines permettant des attaques de type cross-site scripting et l'atteinte à la confidentialité des données ont été corrigées ;
WebCore : des vulnérabilités permettant l'exécution d'applets Java alors que celui-ci est désactivé et permettant la réalisation d'attaques de type cross-site scripting ont été corrigées ;
WebKit : l'ouverture d'une page Web malicieusement créée permet l'exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apple	N/A	Apple Mac OS X Server v10.3.9 ;
Apple	N/A	Apple Mac OS X Server v10.4.10.
Apple	N/A	Apple Mac OS X v10.4.10 ;
Apple	N/A	Apple Mac OS X v10.3.9 ;

References

Title

Publication Time

Tags

Avis de sécurité Apple 2007-007 306172 du 30 juillet 2007	None	vendor-advisory
Bulletin de sécurité Apple 2007-007 306172 du 30 juillet 2007 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Apple Mac OS X Server v10.3.9 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple Mac OS X Server v10.4.10.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple Mac OS X v10.4.10 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple Mac OS X v10.3.9 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nPlusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 identifi\u00e9es dans le syst\u00e8me\nd\u0027exploitation Mac OS X. Parmi celles-ci :\n\n-   bzip2 : un nom d\u0027archive malicieusement form\u00e9 permet l\u0027ex\u00e9cution de\n    code arbitraire \u00e0 distance ;\n-   CFNetwork : un clic sur une addresse malicieusement form\u00e9e permet\n    l\u0027ex\u00e9cution de commandes FTP arbitraires \u00e0 distance ;\n-   CoreAudio : une page Web malicieusement cr\u00e9\u00e9e permet \u00e0 l\u0027aide d\u0027une\n    applet Java d\u0027ex\u00e9cuter du code arbitraire \u00e0 distance;\n-   cscope : des vuln\u00e9rabilit\u00e9s concernant un d\u00e9passement de m\u00e9moire et\n    la cr\u00e9ation de fichiers temporaires dangereux ont \u00e9t\u00e9 corrig\u00e9es ;\n-   gnuzip : un nom d\u0027archive malicieusement form\u00e9 permet l\u0027ex\u00e9cution de\n    code arbitraire \u00e0 distance ;\n-   iChat : un d\u00e9passement de m\u00e9moire permet de provoquer un d\u00e9ni de\n    service \u00e0 distance ou l\u0027ex\u00e9cution de code arbitraire \u00e0 distance au\n    sein d\u0027un m\u00eame sous r\u00e9seau ;\n-   Kerberos : des vuln\u00e9rabilit\u00e9s pouvant provoquer un d\u00e9ni de service\n    ou l\u0027ex\u00e9cution de code arbitraire \u00e0 distance ont \u00e9t\u00e9 corrig\u00e9es ;\n-   mDNSResponder : un d\u00e9passement de m\u00e9moire permet de provoquer un\n    d\u00e9ni de service \u00e0 distance ou l\u0027ex\u00e9cution de code arbitraire \u00e0\n    distance au sein d\u0027un m\u00eame sous r\u00e9seau ;\n-   PDFKit : l\u0027ouverture d\u0027un document malicieusement cr\u00e9\u00e9 permet un\n    d\u00e9ni de service de l\u0027application ou l\u0027ex\u00e9cution de code arbitraire ;\n-   PHP : plusieurs vuln\u00e9rabilit\u00e9s touchant PHP 4.4.4 ont \u00e9t\u00e9 corrig\u00e9es\n    ;\n-   Quartz Composer : l\u0027ouverture d\u0027un fichier Quartz malicieusement\n    cr\u00e9\u00e9 permet un d\u00e9ni de service de l\u0027application ou l\u0027ex\u00e9cution de\n    code arbitraire ;\n-   Samba : lorsque le partage de fichiers Windows est activ\u00e9, un\n    utilisateur non authentifi\u00e9 peut, \u00e0 distance, provoquer un d\u00e9ni de\n    service, ex\u00e9cuter du code ou des commandes arbitraires et contourner\n    la politique de s\u00e9curit\u00e9 ;\n-   SquirrelMail : plusieurs vuln\u00e9rabilit\u00e9s dont au moins une permettant\n    une attaque de type cross-site scripting ont \u00e9t\u00e9 corrig\u00e9es ;\n-   Tomcat : plusieurs vuln\u00e9rabilit\u00e9s dont certaines permettant des\n    attaques de type cross-site scripting et l\u0027atteinte \u00e0 la\n    confidentialit\u00e9 des donn\u00e9es ont \u00e9t\u00e9 corrig\u00e9es ;\n-   WebCore : des vuln\u00e9rabilit\u00e9s permettant l\u0027ex\u00e9cution d\u0027applets Java\n    alors que celui-ci est d\u00e9sactiv\u00e9 et permettant la r\u00e9alisation\n    d\u0027attaques de type cross-site scripting ont \u00e9t\u00e9 corrig\u00e9es ;\n-   WebKit : l\u0027ouverture d\u0027une page Web malicieusement cr\u00e9\u00e9e permet\n    l\u0027ex\u00e9cution de code arbitraire \u00e0 distance.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2005-0758",
      "url": "https://www.cve.org/CVERecord?id=CVE-2005-0758"
    },
    {
      "name": "CVE-2007-2403",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2403"
    },
    {
      "name": "CVE-2007-1583",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1583"
    },
    {
      "name": "CVE-2007-2407",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2407"
    },
    {
      "name": "CVE-2006-2842",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-2842"
    },
    {
      "name": "CVE-2007-0450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-0450"
    },
    {
      "name": "CVE-2007-1711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1711"
    },
    {
      "name": "CVE-2007-2409",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2409"
    },
    {
      "name": "CVE-2007-2405",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2405"
    },
    {
      "name": "CVE-2007-3944",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3944"
    },
    {
      "name": "CVE-2007-1287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1287"
    },
    {
      "name": "CVE-2007-1262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1262"
    },
    {
      "name": "CVE-2007-2408",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2408"
    },
    {
      "name": "CVE-2005-3128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2005-3128"
    },
    {
      "name": "CVE-2007-1521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1521"
    },
    {
      "name": "CVE-2007-2446",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2446"
    },
    {
      "name": "CVE-2007-1358",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1358"
    },
    {
      "name": "CVE-2007-1717",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1717"
    },
    {
      "name": "CVE-2005-2090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2005-2090"
    },
    {
      "name": "CVE-2007-1001",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1001"
    },
    {
      "name": "CVE-2007-0478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-0478"
    },
    {
      "name": "CVE-2006-3174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-3174"
    },
    {
      "name": "CVE-2007-3747",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3747"
    },
    {
      "name": "CVE-2007-2406",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2406"
    },
    {
      "name": "CVE-2007-3748",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3748"
    },
    {
      "name": "CVE-2007-2442",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2442"
    },
    {
      "name": "CVE-2007-3744",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3744"
    },
    {
      "name": "CVE-2007-3745",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3745"
    },
    {
      "name": "CVE-2007-1460",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1460"
    },
    {
      "name": "CVE-2007-2410",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2410"
    },
    {
      "name": "CVE-2004-0996",
      "url": "https://www.cve.org/CVERecord?id=CVE-2004-0996"
    },
    {
      "name": "CVE-2006-6142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-6142"
    },
    {
      "name": "CVE-2007-1860",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1860"
    },
    {
      "name": "CVE-2007-2798",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2798"
    },
    {
      "name": "CVE-2007-1461",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1461"
    },
    {
      "name": "CVE-2007-3742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3742"
    },
    {
      "name": "CVE-2004-2541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2004-2541"
    },
    {
      "name": "CVE-2007-2404",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2404"
    },
    {
      "name": "CVE-2007-2447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2447"
    },
    {
      "name": "CVE-2007-1484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1484"
    },
    {
      "name": "CVE-2006-4019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-4019"
    },
    {
      "name": "CVE-2007-2589",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2589"
    },
    {
      "name": "CVE-2007-2443",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2443"
    },
    {
      "name": "CVE-2007-3746",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3746"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Apple 2007-007 306172 du 30 juillet    2007 :",
      "url": "http://docs.info.apple.com/article.html?artnum=306172"
    }
  ],
  "reference": "CERTA-2007-AVI-340",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2007-08-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Plusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 identifi\u00e9es : elles concernent le\nsyst\u00e8me d\u0027exploitation Mac OS X. L\u0027exploitation de ces derni\u00e8res peut\navoir des cons\u00e9quences vari\u00e9es, comme l\u0027ex\u00e9cution de code arbitraire, ou\nun dysfonctionnement du syst\u00e8me vuln\u00e9rable.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple Mac OS X",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis de s\u00e9curit\u00e9 Apple 2007-007 306172 du 30 juillet 2007",
      "url": null
    }
  ]
}

CERTA-2007-AVI-229

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité de mod_jk permet à un utilisateur malveillant de contourner la politique de sécurité.

Description

Une mauvaise gestion du codage des deux points (« .. ») est exploitable par un utilisateur malveillant pour utiliser des ressources auxquelles il ne devrait pas accéder.

Solution

La version 1.2.23 de mod_jk corrige le problème. Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Le correctif peut induire des incompatibilités avec le composant mod_rewrite.

mod_jk, versions 1.2.22 et antérieures.

Ce composant est livré avec Tomcat, versions :

4.0.1 à 4.0.6 ;
5.0.0 à 5.0.30 ;
5.5.0 à 5.5.23.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Tags

Bulletin de version de Tomcat du 18 mai 2007	None	vendor-advisory
Bulletin de version Tomcat du 18 mai 2007 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [],
  "affected_systems_content": "\u003cTT\u003emod_jk\u003c/TT\u003e, versions 1.2.22 et  ant\u00e9rieures.  \u003cP\u003eCe composant est livr\u00e9 avec \u003cSPAN class=\n  \"textit\"\u003eTomcat\u003c/SPAN\u003e, versions :\u003c/P\u003e  \u003cUL\u003e    \u003cLI\u003e4.0.1 \u00e0 4.0.6 ;\u003c/LI\u003e    \u003cLI\u003e5.0.0 \u00e0 5.0.30 ;\u003c/LI\u003e    \u003cLI\u003e5.5.0 \u00e0 5.5.23.\u003c/LI\u003e  \u003c/UL\u003e",
  "content": "## Description\n\nUne mauvaise gestion du codage des deux points (\u00ab .. \u00bb) est exploitable\npar un utilisateur malveillant pour utiliser des ressources auxquelles\nil ne devrait pas acc\u00e9der.\n\n## Solution\n\nLa version 1.2.23 de mod_jk corrige le probl\u00e8me. Se r\u00e9f\u00e9rer au bulletin\nde s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section\nDocumentation).\n\nLe correctif peut induire des incompatibilit\u00e9s avec le composant\nmod_rewrite.\n",
  "cves": [
    {
      "name": "CVE-2007-1860",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1860"
    }
  ],
  "links": [
    {
      "title": "Bulletin de version Tomcat du 18 mai 2007 :",
      "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
    }
  ],
  "reference": "CERTA-2007-AVI-229",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2007-05-29T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 de mod_jk permet \u00e0 un utilisateur malveillant de\ncontourner la politique de s\u00e9curit\u00e9.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Tomcat",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de version de Tomcat du 18 mai 2007",
      "url": null
    }
  ]
}

CERTA-2007-AVI-340

Vulnerability from certfr_avis - Published: - Updated:

Description

Plusieurs vulnérabilités ont été identifiées dans le système d'exploitation Mac OS X. Parmi celles-ci :

bzip2 : un nom d'archive malicieusement formé permet l'exécution de code arbitraire à distance ;
CFNetwork : un clic sur une addresse malicieusement formée permet l'exécution de commandes FTP arbitraires à distance ;
CoreAudio : une page Web malicieusement créée permet à l'aide d'une applet Java d'exécuter du code arbitraire à distance;
cscope : des vulnérabilités concernant un dépassement de mémoire et la création de fichiers temporaires dangereux ont été corrigées ;
gnuzip : un nom d'archive malicieusement formé permet l'exécution de code arbitraire à distance ;
iChat : un dépassement de mémoire permet de provoquer un déni de service à distance ou l'exécution de code arbitraire à distance au sein d'un même sous réseau ;
Kerberos : des vulnérabilités pouvant provoquer un déni de service ou l'exécution de code arbitraire à distance ont été corrigées ;
mDNSResponder : un dépassement de mémoire permet de provoquer un déni de service à distance ou l'exécution de code arbitraire à distance au sein d'un même sous réseau ;
PDFKit : l'ouverture d'un document malicieusement créé permet un déni de service de l'application ou l'exécution de code arbitraire ;
PHP : plusieurs vulnérabilités touchant PHP 4.4.4 ont été corrigées ;
Quartz Composer : l'ouverture d'un fichier Quartz malicieusement créé permet un déni de service de l'application ou l'exécution de code arbitraire ;
Samba : lorsque le partage de fichiers Windows est activé, un utilisateur non authentifié peut, à distance, provoquer un déni de service, exécuter du code ou des commandes arbitraires et contourner la politique de sécurité ;
SquirrelMail : plusieurs vulnérabilités dont au moins une permettant une attaque de type cross-site scripting ont été corrigées ;
Tomcat : plusieurs vulnérabilités dont certaines permettant des attaques de type cross-site scripting et l'atteinte à la confidentialité des données ont été corrigées ;
WebCore : des vulnérabilités permettant l'exécution d'applets Java alors que celui-ci est désactivé et permettant la réalisation d'attaques de type cross-site scripting ont été corrigées ;
WebKit : l'ouverture d'une page Web malicieusement créée permet l'exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Apple	N/A	Apple Mac OS X Server v10.3.9 ;
Apple	N/A	Apple Mac OS X Server v10.4.10.
Apple	N/A	Apple Mac OS X v10.4.10 ;
Apple	N/A	Apple Mac OS X v10.3.9 ;

References

Title

Publication Time

Tags

Avis de sécurité Apple 2007-007 306172 du 30 juillet 2007	None	vendor-advisory
Bulletin de sécurité Apple 2007-007 306172 du 30 juillet 2007 :	-	other

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Apple Mac OS X Server v10.3.9 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple Mac OS X Server v10.4.10.",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple Mac OS X v10.4.10 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    },
    {
      "description": "Apple Mac OS X v10.3.9 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Apple",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nPlusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 identifi\u00e9es dans le syst\u00e8me\nd\u0027exploitation Mac OS X. Parmi celles-ci :\n\n-   bzip2 : un nom d\u0027archive malicieusement form\u00e9 permet l\u0027ex\u00e9cution de\n    code arbitraire \u00e0 distance ;\n-   CFNetwork : un clic sur une addresse malicieusement form\u00e9e permet\n    l\u0027ex\u00e9cution de commandes FTP arbitraires \u00e0 distance ;\n-   CoreAudio : une page Web malicieusement cr\u00e9\u00e9e permet \u00e0 l\u0027aide d\u0027une\n    applet Java d\u0027ex\u00e9cuter du code arbitraire \u00e0 distance;\n-   cscope : des vuln\u00e9rabilit\u00e9s concernant un d\u00e9passement de m\u00e9moire et\n    la cr\u00e9ation de fichiers temporaires dangereux ont \u00e9t\u00e9 corrig\u00e9es ;\n-   gnuzip : un nom d\u0027archive malicieusement form\u00e9 permet l\u0027ex\u00e9cution de\n    code arbitraire \u00e0 distance ;\n-   iChat : un d\u00e9passement de m\u00e9moire permet de provoquer un d\u00e9ni de\n    service \u00e0 distance ou l\u0027ex\u00e9cution de code arbitraire \u00e0 distance au\n    sein d\u0027un m\u00eame sous r\u00e9seau ;\n-   Kerberos : des vuln\u00e9rabilit\u00e9s pouvant provoquer un d\u00e9ni de service\n    ou l\u0027ex\u00e9cution de code arbitraire \u00e0 distance ont \u00e9t\u00e9 corrig\u00e9es ;\n-   mDNSResponder : un d\u00e9passement de m\u00e9moire permet de provoquer un\n    d\u00e9ni de service \u00e0 distance ou l\u0027ex\u00e9cution de code arbitraire \u00e0\n    distance au sein d\u0027un m\u00eame sous r\u00e9seau ;\n-   PDFKit : l\u0027ouverture d\u0027un document malicieusement cr\u00e9\u00e9 permet un\n    d\u00e9ni de service de l\u0027application ou l\u0027ex\u00e9cution de code arbitraire ;\n-   PHP : plusieurs vuln\u00e9rabilit\u00e9s touchant PHP 4.4.4 ont \u00e9t\u00e9 corrig\u00e9es\n    ;\n-   Quartz Composer : l\u0027ouverture d\u0027un fichier Quartz malicieusement\n    cr\u00e9\u00e9 permet un d\u00e9ni de service de l\u0027application ou l\u0027ex\u00e9cution de\n    code arbitraire ;\n-   Samba : lorsque le partage de fichiers Windows est activ\u00e9, un\n    utilisateur non authentifi\u00e9 peut, \u00e0 distance, provoquer un d\u00e9ni de\n    service, ex\u00e9cuter du code ou des commandes arbitraires et contourner\n    la politique de s\u00e9curit\u00e9 ;\n-   SquirrelMail : plusieurs vuln\u00e9rabilit\u00e9s dont au moins une permettant\n    une attaque de type cross-site scripting ont \u00e9t\u00e9 corrig\u00e9es ;\n-   Tomcat : plusieurs vuln\u00e9rabilit\u00e9s dont certaines permettant des\n    attaques de type cross-site scripting et l\u0027atteinte \u00e0 la\n    confidentialit\u00e9 des donn\u00e9es ont \u00e9t\u00e9 corrig\u00e9es ;\n-   WebCore : des vuln\u00e9rabilit\u00e9s permettant l\u0027ex\u00e9cution d\u0027applets Java\n    alors que celui-ci est d\u00e9sactiv\u00e9 et permettant la r\u00e9alisation\n    d\u0027attaques de type cross-site scripting ont \u00e9t\u00e9 corrig\u00e9es ;\n-   WebKit : l\u0027ouverture d\u0027une page Web malicieusement cr\u00e9\u00e9e permet\n    l\u0027ex\u00e9cution de code arbitraire \u00e0 distance.\n\n## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2005-0758",
      "url": "https://www.cve.org/CVERecord?id=CVE-2005-0758"
    },
    {
      "name": "CVE-2007-2403",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2403"
    },
    {
      "name": "CVE-2007-1583",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1583"
    },
    {
      "name": "CVE-2007-2407",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2407"
    },
    {
      "name": "CVE-2006-2842",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-2842"
    },
    {
      "name": "CVE-2007-0450",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-0450"
    },
    {
      "name": "CVE-2007-1711",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1711"
    },
    {
      "name": "CVE-2007-2409",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2409"
    },
    {
      "name": "CVE-2007-2405",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2405"
    },
    {
      "name": "CVE-2007-3944",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3944"
    },
    {
      "name": "CVE-2007-1287",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1287"
    },
    {
      "name": "CVE-2007-1262",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1262"
    },
    {
      "name": "CVE-2007-2408",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2408"
    },
    {
      "name": "CVE-2005-3128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2005-3128"
    },
    {
      "name": "CVE-2007-1521",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1521"
    },
    {
      "name": "CVE-2007-2446",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2446"
    },
    {
      "name": "CVE-2007-1358",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1358"
    },
    {
      "name": "CVE-2007-1717",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1717"
    },
    {
      "name": "CVE-2005-2090",
      "url": "https://www.cve.org/CVERecord?id=CVE-2005-2090"
    },
    {
      "name": "CVE-2007-1001",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1001"
    },
    {
      "name": "CVE-2007-0478",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-0478"
    },
    {
      "name": "CVE-2006-3174",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-3174"
    },
    {
      "name": "CVE-2007-3747",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3747"
    },
    {
      "name": "CVE-2007-2406",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2406"
    },
    {
      "name": "CVE-2007-3748",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3748"
    },
    {
      "name": "CVE-2007-2442",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2442"
    },
    {
      "name": "CVE-2007-3744",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3744"
    },
    {
      "name": "CVE-2007-3745",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3745"
    },
    {
      "name": "CVE-2007-1460",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1460"
    },
    {
      "name": "CVE-2007-2410",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2410"
    },
    {
      "name": "CVE-2004-0996",
      "url": "https://www.cve.org/CVERecord?id=CVE-2004-0996"
    },
    {
      "name": "CVE-2006-6142",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-6142"
    },
    {
      "name": "CVE-2007-1860",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1860"
    },
    {
      "name": "CVE-2007-2798",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2798"
    },
    {
      "name": "CVE-2007-1461",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1461"
    },
    {
      "name": "CVE-2007-3742",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3742"
    },
    {
      "name": "CVE-2004-2541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2004-2541"
    },
    {
      "name": "CVE-2007-2404",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2404"
    },
    {
      "name": "CVE-2007-2447",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2447"
    },
    {
      "name": "CVE-2007-1484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-1484"
    },
    {
      "name": "CVE-2006-4019",
      "url": "https://www.cve.org/CVERecord?id=CVE-2006-4019"
    },
    {
      "name": "CVE-2007-2589",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2589"
    },
    {
      "name": "CVE-2007-2443",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-2443"
    },
    {
      "name": "CVE-2007-3746",
      "url": "https://www.cve.org/CVERecord?id=CVE-2007-3746"
    }
  ],
  "links": [
    {
      "title": "Bulletin de s\u00e9curit\u00e9 Apple 2007-007 306172 du 30 juillet    2007 :",
      "url": "http://docs.info.apple.com/article.html?artnum=306172"
    }
  ],
  "reference": "CERTA-2007-AVI-340",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2007-08-01T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    }
  ],
  "summary": "Plusieurs vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 identifi\u00e9es : elles concernent le\nsyst\u00e8me d\u0027exploitation Mac OS X. L\u0027exploitation de ces derni\u00e8res peut\navoir des cons\u00e9quences vari\u00e9es, comme l\u0027ex\u00e9cution de code arbitraire, ou\nun dysfonctionnement du syst\u00e8me vuln\u00e9rable.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Apple Mac OS X",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis de s\u00e9curit\u00e9 Apple 2007-007 306172 du 30 juillet 2007",
      "url": null
    }
  ]
}

FKIE_CVE-2007-1860

Vulnerability from fkie_nvd - Published: 2007-05-25 18:30 - Updated: 2026-04-23 00:35

Severity

Summary

References

URL	Tags
secalert@redhat.com	http://docs.info.apple.com/article.html?artnum=306172
secalert@redhat.com	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
secalert@redhat.com	http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
secalert@redhat.com	http://secunia.com/advisories/25383	Patch, Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/25701	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/26235	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/26512	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/27037	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/29242	Vendor Advisory
secalert@redhat.com	http://security.gentoo.org/glsa/glsa-200708-15.xml
secalert@redhat.com	http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1	Patch
secalert@redhat.com	http://tomcat.apache.org/security-jk.html	Patch
secalert@redhat.com	http://www.debian.org/security/2007/dsa-1312
secalert@redhat.com	http://www.osvdb.org/34877
secalert@redhat.com	http://www.redhat.com/support/errata/RHSA-2007-0379.html	Vendor Advisory
secalert@redhat.com	http://www.redhat.com/support/errata/RHSA-2008-0261.html
secalert@redhat.com	http://www.securityfocus.com/bid/24147
secalert@redhat.com	http://www.securityfocus.com/bid/25159
secalert@redhat.com	http://www.securitytracker.com/id?1018138
secalert@redhat.com	http://www.vupen.com/english/advisories/2007/1941	Vendor Advisory
secalert@redhat.com	http://www.vupen.com/english/advisories/2007/2732	Vendor Advisory
secalert@redhat.com	http://www.vupen.com/english/advisories/2007/3386	Vendor Advisory
secalert@redhat.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/34496
secalert@redhat.com	https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E
secalert@redhat.com	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002
af854a3a-2127-422b-91ae-364da2661108	http://docs.info.apple.com/article.html?artnum=306172
af854a3a-2127-422b-91ae-364da2661108	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/25383	Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/25701	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/26235	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/26512	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/27037	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/29242	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://security.gentoo.org/glsa/glsa-200708-15.xml
af854a3a-2127-422b-91ae-364da2661108	http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1	Patch
af854a3a-2127-422b-91ae-364da2661108	http://tomcat.apache.org/security-jk.html	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.debian.org/security/2007/dsa-1312
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/34877
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2007-0379.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.redhat.com/support/errata/RHSA-2008-0261.html
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/24147
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/25159
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1018138
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2007/1941	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2007/2732	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2007/3386	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/34496
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002

Impacted products

	Vendor	Product	Version
	apache	tomcat_jk_web_server_connector	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apache:tomcat_jk_web_server_connector:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "4B244B0D-0F1A-4A6C-9798-7F0A4AFB64E1",
              "versionEndIncluding": "1.2.22",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450."
    },
    {
      "lang": "es",
      "value": "El componente mod_jk en Apache Tomcat JK Web Server Connector versi\u00f3n 1.2. x anterior a 1.2.23, descodifica las URL de petici\u00f3n dentro del servidor Apache HTTP antes de pasar la URL a Tomcat, lo que permite a los atacantes remotos acceder a p\u00e1ginas protegidas por medio de un JkMount prefijado y creado, posiblemente involucrando secuencias double-encoded.. (punto punto) y el salto de directorio (directory traversal), un problema relacionado a CVE-2007-0450."
    }
  ],
  "id": "CVE-2007-1860",
  "lastModified": "2026-04-23T00:35:47.467",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "NONE",
          "baseScore": 5.0,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2007-05-25T18:30:00.000",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "http://docs.info.apple.com/article.html?artnum=306172"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/25383"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/25701"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/26235"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/26512"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/27037"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/29242"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://security.gentoo.org/glsa/glsa-200708-15.xml"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Patch"
      ],
      "url": "http://tomcat.apache.org/security-jk.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.debian.org/security/2007/dsa-1312"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.osvdb.org/34877"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2007-0379.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/24147"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securityfocus.com/bid/25159"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id?1018138"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/1941"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/2732"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/3386"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://docs.info.apple.com/article.html?artnum=306172"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/25383"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/25701"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/26235"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/26512"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/27037"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/29242"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://security.gentoo.org/glsa/glsa-200708-15.xml"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://tomcat.apache.org/security-jk.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.debian.org/security/2007/dsa-1312"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/34877"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.redhat.com/support/errata/RHSA-2007-0379.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/24147"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/25159"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1018138"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/1941"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/2732"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://www.vupen.com/english/advisories/2007/3386"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-HR63-37XG-3W68

Vulnerability from github – Published: 2022-05-01 17:57 – Updated: 2025-04-09 03:42

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2007-1860"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-05-25T18:30:00Z",
    "severity": "MODERATE"
  },
  "details": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.",
  "id": "GHSA-hr63-37xg-3w68",
  "modified": "2025-04-09T03:42:02Z",
  "published": "2022-05-01T17:57:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1860"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925@%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496"
    },
    {
      "type": "WEB",
      "url": "http://docs.info.apple.com/article.html?artnum=306172"
    },
    {
      "type": "WEB",
      "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25383"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/25701"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26235"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26512"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27037"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29242"
    },
    {
      "type": "WEB",
      "url": "http://security.gentoo.org/glsa/glsa-200708-15.xml"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
    },
    {
      "type": "WEB",
      "url": "http://tomcat.apache.org/security-jk.html"
    },
    {
      "type": "WEB",
      "url": "http://www.debian.org/security/2007/dsa-1312"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/34877"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2007-0379.html"
    },
    {
      "type": "WEB",
      "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/24147"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25159"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1018138"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/1941"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/2732"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2007/3386"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2007-1860

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2007-1860

Aliases

CVE-2007-1860

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2007-1860",
    "description": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.",
    "id": "GSD-2007-1860",
    "references": [
      "https://www.suse.com/security/cve/CVE-2007-1860.html",
      "https://www.debian.org/security/2007/dsa-1312",
      "https://access.redhat.com/errata/RHSA-2008:0524",
      "https://access.redhat.com/errata/RHSA-2008:0261",
      "https://access.redhat.com/errata/RHSA-2007:0380",
      "https://access.redhat.com/errata/RHSA-2007:0379"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2007-1860"
      ],
      "details": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.",
      "id": "GSD-2007-1860",
      "modified": "2023-12-13T01:21:39.298285Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2007-1860",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "http://docs.info.apple.com/article.html?artnum=306172",
            "refsource": "MISC",
            "url": "http://docs.info.apple.com/article.html?artnum=306172"
          },
          {
            "name": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html",
            "refsource": "MISC",
            "url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
          },
          {
            "name": "http://secunia.com/advisories/26235",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/26235"
          },
          {
            "name": "http://www.securityfocus.com/bid/25159",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/25159"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2007/2732",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2007/2732"
          },
          {
            "name": "http://www.redhat.com/support/errata/RHSA-2008-0261.html",
            "refsource": "MISC",
            "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
          },
          {
            "name": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E",
            "refsource": "MISC",
            "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795",
            "refsource": "MISC",
            "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
          },
          {
            "name": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html",
            "refsource": "MISC",
            "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
          },
          {
            "name": "http://secunia.com/advisories/25383",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/25383"
          },
          {
            "name": "http://secunia.com/advisories/25701",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/25701"
          },
          {
            "name": "http://secunia.com/advisories/26512",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/26512"
          },
          {
            "name": "http://secunia.com/advisories/27037",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/27037"
          },
          {
            "name": "http://secunia.com/advisories/29242",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/29242"
          },
          {
            "name": "http://security.gentoo.org/glsa/glsa-200708-15.xml",
            "refsource": "MISC",
            "url": "http://security.gentoo.org/glsa/glsa-200708-15.xml"
          },
          {
            "name": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1",
            "refsource": "MISC",
            "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
          },
          {
            "name": "http://tomcat.apache.org/security-jk.html",
            "refsource": "MISC",
            "url": "http://tomcat.apache.org/security-jk.html"
          },
          {
            "name": "http://www.debian.org/security/2007/dsa-1312",
            "refsource": "MISC",
            "url": "http://www.debian.org/security/2007/dsa-1312"
          },
          {
            "name": "http://www.osvdb.org/34877",
            "refsource": "MISC",
            "url": "http://www.osvdb.org/34877"
          },
          {
            "name": "http://www.redhat.com/support/errata/RHSA-2007-0379.html",
            "refsource": "MISC",
            "url": "http://www.redhat.com/support/errata/RHSA-2007-0379.html"
          },
          {
            "name": "http://www.securityfocus.com/bid/24147",
            "refsource": "MISC",
            "url": "http://www.securityfocus.com/bid/24147"
          },
          {
            "name": "http://www.securitytracker.com/id?1018138",
            "refsource": "MISC",
            "url": "http://www.securitytracker.com/id?1018138"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2007/1941",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2007/1941"
          },
          {
            "name": "http://www.vupen.com/english/advisories/2007/3386",
            "refsource": "MISC",
            "url": "http://www.vupen.com/english/advisories/2007/3386"
          },
          {
            "name": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496",
            "refsource": "MISC",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496"
          },
          {
            "name": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002",
            "refsource": "MISC",
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apache:tomcat_jk_web_server_connector:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.2.22",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2007-1860"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1",
              "refsource": "MISC",
              "tags": [
                "Patch"
              ],
              "url": "http://tomcat.apache.org/connectors-doc/news/20070301.html#20070518.1"
            },
            {
              "name": "http://tomcat.apache.org/security-jk.html",
              "refsource": "CONFIRM",
              "tags": [
                "Patch"
              ],
              "url": "http://tomcat.apache.org/security-jk.html"
            },
            {
              "name": "25383",
              "refsource": "SECUNIA",
              "tags": [
                "Patch",
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/25383"
            },
            {
              "name": "http://docs.info.apple.com/article.html?artnum=306172",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://docs.info.apple.com/article.html?artnum=306172"
            },
            {
              "name": "APPLE-SA-2007-07-31",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html"
            },
            {
              "name": "DSA-1312",
              "refsource": "DEBIAN",
              "tags": [],
              "url": "http://www.debian.org/security/2007/dsa-1312"
            },
            {
              "name": "GLSA-200708-15",
              "refsource": "GENTOO",
              "tags": [],
              "url": "http://security.gentoo.org/glsa/glsa-200708-15.xml"
            },
            {
              "name": "RHSA-2007:0379",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.redhat.com/support/errata/RHSA-2007-0379.html"
            },
            {
              "name": "24147",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/24147"
            },
            {
              "name": "25159",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/25159"
            },
            {
              "name": "34877",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://www.osvdb.org/34877"
            },
            {
              "name": "1018138",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1018138"
            },
            {
              "name": "25701",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/25701"
            },
            {
              "name": "26235",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/26235"
            },
            {
              "name": "26512",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/26512"
            },
            {
              "name": "27037",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/27037"
            },
            {
              "name": "SUSE-SR:2008:005",
              "refsource": "SUSE",
              "tags": [],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html"
            },
            {
              "name": "29242",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/29242"
            },
            {
              "name": "RHSA-2008:0261",
              "refsource": "REDHAT",
              "tags": [],
              "url": "http://www.redhat.com/support/errata/RHSA-2008-0261.html"
            },
            {
              "name": "SSRT071447",
              "refsource": "HP",
              "tags": [],
              "url": "http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795"
            },
            {
              "name": "ADV-2007-2732",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2007/2732"
            },
            {
              "name": "ADV-2007-1941",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2007/1941"
            },
            {
              "name": "ADV-2007-3386",
              "refsource": "VUPEN",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://www.vupen.com/english/advisories/2007/3386"
            },
            {
              "name": "tomcat-jkconnector-security-bypass(34496)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/34496"
            },
            {
              "name": "oval:org.mitre.oval:def:6002",
              "refsource": "OVAL",
              "tags": [],
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6002"
            },
            {
              "name": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E",
              "refsource": "MISC",
              "tags": [],
              "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2023-02-13T02:17Z",
      "publishedDate": "2007-05-25T18:30Z"
    }
  }
}

RHSA-2007:0379

Vulnerability from csaf_redhat - Published: 2007-05-30 16:27 - Updated: 2025-11-21 17:31

Summary

Red Hat Security Advisory: mod_jk security update

Severity

Important

Notes

Topic: Updated mod_jk packages that fix a security issue are now available for Red Hat Application Stack v1.1. This update has been rated as having Important security impact by the Red Hat Security Response Team.

Details: mod_jk is a Tomcat connector that can be used to communicate between Tomcat and the Apache HTTP Server 2. mod_jk was first distributed with Red Hat Application Stack version 1.1 released on 19 February 2007. Versions of mod_jk before 1.2.23 decoded request URLs by default inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content (CVE-2007-1860). Users of mod_jk should upgrade to these updated packages, which address this issue by changing the default so mod_jk forwards the original unchanged request URL to Tomcat.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2007-1860

Affected products

Fixed 14 products

Product	Version	Remediation
Unresolved product id: 4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix

Threats

Impact Important

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2007:0379	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=237656	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2007-1860	self
https://bugzilla.redhat.com/show_bug.cgi?id=237656	external
https://www.cve.org/CVERecord?id=CVE-2007-1860	external
https://nvd.nist.gov/vuln/detail/CVE-2007-1860	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated mod_jk packages that fix a security issue are now available for Red\nHat Application Stack v1.1.\n\nThis update has been rated as having Important security impact by the Red\nHat Security Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "mod_jk is a Tomcat connector that can be used to communicate between Tomcat\nand the Apache HTTP Server 2. mod_jk was first distributed with Red Hat\nApplication Stack version 1.1 released on 19 February 2007.\n\nVersions of mod_jk before 1.2.23 decoded request URLs by default inside\nApache httpd and forwarded the encoded URL to Tomcat, which itself did a\nsecond decoding.  If Tomcat was used behind mod_jk and configured to only\nproxy some contexts, an attacker could construct a carefully crafted HTTP\nrequest to work around the context restriction and potentially access\nnon-proxied content (CVE-2007-1860).\n\nUsers of mod_jk should upgrade to these updated packages, which address\nthis issue by changing the default so mod_jk forwards the original\nunchanged request URL to Tomcat.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2007:0379",
        "url": "https://access.redhat.com/errata/RHSA-2007:0379"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "237656",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=237656"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2007/rhsa-2007_0379.json"
      }
    ],
    "title": "Red Hat Security Advisory: mod_jk security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:31:40+00:00",
      "generator": {
        "date": "2025-11-21T17:31:40+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2007:0379",
      "initial_release_date": "2007-05-30T16:27:00+00:00",
      "revision_history": [
        {
          "date": "2007-05-30T16:27:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2007-05-30T12:27:15+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:31:40+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
                "product": {
                  "name": "Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
                  "product_id": "4AS-RHWAS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_application_stack:1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
                "product": {
                  "name": "Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
                  "product_id": "4ES-RHWAS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_application_stack:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Application Stack"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
                  "product_id": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1.el4s1.5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1.el4s1.5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
                  "product_id": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1.el4s1.5?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
                  "product_id": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1.el4s1.5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1.el4s1.5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
                  "product_id": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1.el4s1.5?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-0:1.2.20-1.el4s1.5.src",
                "product": {
                  "name": "mod_jk-0:1.2.20-1.el4s1.5.src",
                  "product_id": "mod_jk-0:1.2.20-1.el4s1.5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk@1.2.20-1.el4s1.5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-0:1.2.20-1.el4s1.5.src as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src"
        },
        "product_reference": "mod_jk-0:1.2.20-1.el4s1.5.src",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-0:1.2.20-1.el4s1.5.src as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src"
        },
        "product_reference": "mod_jk-0:1.2.20-1.el4s1.5.src",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4ES-RHWAS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2007-1860",
      "discovery_date": "2007-04-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "237656"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mod_jk sends decoded URL to tomcat",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
          "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
          "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
          "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
          "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
          "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
          "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
          "4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
          "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
          "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
          "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
          "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
          "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
          "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-1860"
        },
        {
          "category": "external",
          "summary": "RHBZ#237656",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=237656"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-1860",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-1860"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-1860",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1860"
        }
      ],
      "release_date": "2007-05-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2007-05-30T16:27:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
            "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
            "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
            "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
            "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
            "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
            "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
            "4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
            "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
            "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
            "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
            "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
            "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
            "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2007:0379"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mod_jk sends decoded URL to tomcat"
    }
  ]
}

RHSA-2007:0380

Vulnerability from csaf_redhat - Published: 2007-05-30 09:13 - Updated: 2025-11-21 17:31

Summary

Red Hat Security Advisory: mod_jk security update

Severity

Important

Notes

Topic: Updated mod_jk packages that fix a security issue are now available for Red Hat Application Server. This update has been rated as having Important security impact by the Red Hat Security Response Team.

Details: mod_jk is a Tomcat connector that can be used to communicate between Tomcat and the Apache HTTP Server 2. Versions of mod_jk before 1.2.23 decoded request URLs by default inside Apache httpd and forwarded the encoded URL to Tomcat, which itself did a second decoding. If Tomcat was used behind mod_jk and configured to only proxy some contexts, an attacker could construct a carefully crafted HTTP request to work around the context restriction and potentially access non-proxied content (CVE-2007-1860). Users of mod_jk should upgrade to these updated packages, which address this issue by changing the default so mod_jk forwards the original unchanged request URL to Tomcat.

CVE-2007-1860

Affected products

Fixed 39 products

Product	Version	Remediation
Unresolved product id: 4AS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc	—	Vendor Fix fix
Unresolved product id: 4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64	—	Vendor Fix fix

Threats

Impact Important

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2007:0380	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=237656	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2007-1860	self
https://bugzilla.redhat.com/show_bug.cgi?id=237656	external
https://www.cve.org/CVERecord?id=CVE-2007-1860	external
https://nvd.nist.gov/vuln/detail/CVE-2007-1860	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated mod_jk packages that fix a security issue are now available for Red\nHat Application Server.\n\nThis update has been rated as having Important security impact by the Red\nHat Security Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "mod_jk is a Tomcat connector that can be used to communicate between Tomcat\nand the Apache HTTP Server 2.\n\nVersions of mod_jk before 1.2.23 decoded request URLs by default inside\nApache httpd and forwarded the encoded URL to Tomcat, which itself did a\nsecond decoding.  If Tomcat was used behind mod_jk and configured to only\nproxy some contexts, an attacker could construct a carefully crafted HTTP\nrequest to work around the context restriction and potentially access\nnon-proxied content (CVE-2007-1860).\n\nUsers of mod_jk should upgrade to these updated packages, which address\nthis issue by changing the default so mod_jk forwards the original\nunchanged request URL to Tomcat.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2007:0380",
        "url": "https://access.redhat.com/errata/RHSA-2007:0380"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "237656",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=237656"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2007/rhsa-2007_0380.json"
      }
    ],
    "title": "Red Hat Security Advisory: mod_jk security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:31:40+00:00",
      "generator": {
        "date": "2025-11-21T17:31:40+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2007:0380",
      "initial_release_date": "2007-05-30T09:13:00+00:00",
      "revision_history": [
        {
          "date": "2007-05-30T09:13:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2007-05-30T05:13:46+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:31:40+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Application Server v2 4AS",
                "product": {
                  "name": "Red Hat Application Server v2 4AS",
                  "product_id": "4AS-RHAPS2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_application_server:2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Application Server v2 4ES",
                "product": {
                  "name": "Red Hat Application Server v2 4ES",
                  "product_id": "4ES-RHAPS2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_application_server:2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Application Server v2 4WS",
                "product": {
                  "name": "Red Hat Application Server v2 4WS",
                  "product_id": "4WS-RHAPS2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_application_server:2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Application Server"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
                  "product_id": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1jpp_2rh?arch=ia64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
                  "product_id": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1jpp_2rh?arch=ia64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1jpp_2rh?arch=ia64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ia64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
                  "product_id": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1jpp_2rh?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
                  "product_id": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1jpp_2rh?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1jpp_2rh?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
                  "product_id": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1jpp_2rh?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
                  "product_id": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1jpp_2rh?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1jpp_2rh?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-0:1.2.20-1jpp_2rh.src",
                "product": {
                  "name": "mod_jk-0:1.2.20-1jpp_2rh.src",
                  "product_id": "mod_jk-0:1.2.20-1jpp_2rh.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk@1.2.20-1jpp_2rh?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
                  "product_id": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1jpp_2rh?arch=ppc"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
                  "product_id": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1jpp_2rh?arch=ppc"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1jpp_2rh?arch=ppc"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "ppc"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-0:1.2.20-1jpp_2rh.src as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src"
        },
        "product_reference": "mod_jk-0:1.2.20-1jpp_2rh.src",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4AS",
          "product_id": "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4AS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-0:1.2.20-1jpp_2rh.src as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src"
        },
        "product_reference": "mod_jk-0:1.2.20-1jpp_2rh.src",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4ES",
          "product_id": "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4ES-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-0:1.2.20-1jpp_2rh.src as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src"
        },
        "product_reference": "mod_jk-0:1.2.20-1jpp_2rh.src",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
        "relates_to_product_reference": "4WS-RHAPS2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64 as a component of Red Hat Application Server v2 4WS",
          "product_id": "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
        "relates_to_product_reference": "4WS-RHAPS2"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2007-1860",
      "discovery_date": "2007-04-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "237656"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mod_jk sends decoded URL to tomcat",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "4AS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src",
          "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
          "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
          "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
          "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
          "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
          "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
          "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
          "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
          "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
          "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
          "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
          "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
          "4ES-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src",
          "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
          "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
          "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
          "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
          "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
          "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
          "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
          "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
          "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
          "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
          "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
          "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
          "4WS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src",
          "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
          "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
          "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
          "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
          "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
          "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
          "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
          "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
          "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
          "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
          "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
          "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-1860"
        },
        {
          "category": "external",
          "summary": "RHBZ#237656",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=237656"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-1860",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-1860"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-1860",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1860"
        }
      ],
      "release_date": "2007-05-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2007-05-30T09:13:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "4AS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src",
            "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
            "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
            "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
            "4AS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
            "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
            "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
            "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
            "4AS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
            "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
            "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
            "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
            "4AS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
            "4ES-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src",
            "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
            "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
            "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
            "4ES-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
            "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
            "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
            "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
            "4ES-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
            "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
            "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
            "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
            "4ES-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64",
            "4WS-RHAPS2:mod_jk-0:1.2.20-1jpp_2rh.src",
            "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.i386",
            "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ia64",
            "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.ppc",
            "4WS-RHAPS2:mod_jk-ap20-0:1.2.20-1jpp_2rh.x86_64",
            "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.i386",
            "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ia64",
            "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.ppc",
            "4WS-RHAPS2:mod_jk-debuginfo-0:1.2.20-1jpp_2rh.x86_64",
            "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.i386",
            "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ia64",
            "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.ppc",
            "4WS-RHAPS2:mod_jk-manual-0:1.2.20-1jpp_2rh.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2007:0380"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mod_jk sends decoded URL to tomcat"
    }
  ]
}

RHSA-2007_0379

Vulnerability from csaf_redhat - Published: 2007-05-30 16:27 - Updated: 2024-11-22 01:58

Summary

Red Hat Security Advisory: mod_jk security update

Severity

Important

Notes

CVE-2007-1860

Affected products

Fixed 14 products

Product	Version	Remediation
Unresolved product id: 4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386	—	Vendor Fix fix
Unresolved product id: 4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64	—	Vendor Fix fix

Threats

Impact Important

References

8 references

URL	Category
https://access.redhat.com/errata/RHSA-2007:0379	self
https://access.redhat.com/security/updates/classi…	external
https://bugzilla.redhat.com/show_bug.cgi?id=237656	external
https://security.access.redhat.com/data/csaf/v2/a…	self
https://access.redhat.com/security/cve/CVE-2007-1860	self
https://bugzilla.redhat.com/show_bug.cgi?id=237656	external
https://www.cve.org/CVERecord?id=CVE-2007-1860	external
https://nvd.nist.gov/vuln/detail/CVE-2007-1860	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated mod_jk packages that fix a security issue are now available for Red\nHat Application Stack v1.1.\n\nThis update has been rated as having Important security impact by the Red\nHat Security Response Team.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "mod_jk is a Tomcat connector that can be used to communicate between Tomcat\nand the Apache HTTP Server 2. mod_jk was first distributed with Red Hat\nApplication Stack version 1.1 released on 19 February 2007.\n\nVersions of mod_jk before 1.2.23 decoded request URLs by default inside\nApache httpd and forwarded the encoded URL to Tomcat, which itself did a\nsecond decoding.  If Tomcat was used behind mod_jk and configured to only\nproxy some contexts, an attacker could construct a carefully crafted HTTP\nrequest to work around the context restriction and potentially access\nnon-proxied content (CVE-2007-1860).\n\nUsers of mod_jk should upgrade to these updated packages, which address\nthis issue by changing the default so mod_jk forwards the original\nunchanged request URL to Tomcat.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2007:0379",
        "url": "https://access.redhat.com/errata/RHSA-2007:0379"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "237656",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=237656"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2007/rhsa-2007_0379.json"
      }
    ],
    "title": "Red Hat Security Advisory: mod_jk security update",
    "tracking": {
      "current_release_date": "2024-11-22T01:58:46+00:00",
      "generator": {
        "date": "2024-11-22T01:58:46+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2007:0379",
      "initial_release_date": "2007-05-30T16:27:00+00:00",
      "revision_history": [
        {
          "date": "2007-05-30T16:27:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2007-05-30T12:27:15+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T01:58:46+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
                "product": {
                  "name": "Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
                  "product_id": "4AS-RHWAS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_application_stack:1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
                "product": {
                  "name": "Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
                  "product_id": "4ES-RHWAS",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_application_stack:1"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Application Stack"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
                  "product_id": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1.el4s1.5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1.el4s1.5?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
                  "product_id": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1.el4s1.5?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
                "product": {
                  "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
                  "product_id": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-manual@1.2.20-1.el4s1.5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
                "product": {
                  "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
                  "product_id": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-debuginfo@1.2.20-1.el4s1.5?arch=i386"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
                "product": {
                  "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
                  "product_id": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk-ap20@1.2.20-1.el4s1.5?arch=i386"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "i386"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "mod_jk-0:1.2.20-1.el4s1.5.src",
                "product": {
                  "name": "mod_jk-0:1.2.20-1.el4s1.5.src",
                  "product_id": "mod_jk-0:1.2.20-1.el4s1.5.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mod_jk@1.2.20-1.el4s1.5?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-0:1.2.20-1.el4s1.5.src as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src"
        },
        "product_reference": "mod_jk-0:1.2.20-1.el4s1.5.src",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux AS (v.4)",
          "product_id": "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4AS-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-0:1.2.20-1.el4s1.5.src as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src"
        },
        "product_reference": "mod_jk-0:1.2.20-1.el4s1.5.src",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
        "relates_to_product_reference": "4ES-RHWAS"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64 as a component of Red Hat Application Stack v1 for Enterprise Linux ES (v.4)",
          "product_id": "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
        },
        "product_reference": "mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
        "relates_to_product_reference": "4ES-RHWAS"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2007-1860",
      "discovery_date": "2007-04-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "237656"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "mod_jk sends decoded URL to tomcat",
          "title": "Vulnerability summary"
        }
      ],
      "product_status": {
        "fixed": [
          "4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
          "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
          "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
          "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
          "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
          "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
          "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
          "4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
          "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
          "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
          "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
          "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
          "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
          "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2007-1860"
        },
        {
          "category": "external",
          "summary": "RHBZ#237656",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=237656"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2007-1860",
          "url": "https://www.cve.org/CVERecord?id=CVE-2007-1860"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-1860",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-1860"
        }
      ],
      "release_date": "2007-05-21T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2007-05-30T16:27:00+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nTo update all RPMs for your particular architecture, run:\n\nrpm -Fvh [filenames]\n\nwhere [filenames] is a list of the RPMs you wish to upgrade. Only those\nRPMs which are currently installed will be updated. Those RPMs which are\nnot installed but included in the list will not be updated. Note that you\ncan also use wildcards (*.rpm) if your current directory *only* contains\nthe desired RPMs.\n\nPlease note that this update is also available via Red Hat Network. Many\npeople find this an easier way to apply updates. To use Red Hat Network,\nlaunch the Red Hat Update Agent with the following command:\n\nup2date\n\nThis will start an interactive process that will result in the appropriate\nRPMs being upgraded on your system.",
          "product_ids": [
            "4AS-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
            "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
            "4AS-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
            "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
            "4AS-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
            "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
            "4AS-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64",
            "4ES-RHWAS:mod_jk-0:1.2.20-1.el4s1.5.src",
            "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.i386",
            "4ES-RHWAS:mod_jk-ap20-0:1.2.20-1.el4s1.5.x86_64",
            "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.i386",
            "4ES-RHWAS:mod_jk-debuginfo-0:1.2.20-1.el4s1.5.x86_64",
            "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.i386",
            "4ES-RHWAS:mod_jk-manual-0:1.2.20-1.el4s1.5.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2007:0379"
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "mod_jk sends decoded URL to tomcat"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2007-1860 (GCVE-0-2007-1860)

Description

Solution

Description

Solution

Description

Solution

Description

Solution

Tags

Sightings

Nomenclature