Vulnerabilidad en JK Connector en Apache Tomcat (CVE-2008-5519)
Gravedad CVSS v2.0:
BAJA
Tipo:
CWE-200
Revelación de información
Fecha de publicación:
09/04/2009
Última modificación:
09/04/2025
Descripción
El conector JK (tambien conocido como mod_jk) v1.2.0 hasta la v1.2.26 en Apache Tomcat permite a atacantes remotos obtener información sensible a través de una petición arbitraria desde un cliente HTTP, en circunstancias oportunas implicando (1) una petición desde distintos clientes que incluyan una cabecera con el campo longitud de contenido, pero sin datos en POST, o (2) una serie de peticiones rápidas, relativo a la no conformidad con los requerimientos del protocolo AJP para peticiones que contengan cabeceras con el campo longitud del contenido.<br />
Impacto
Puntuación base 2.0
2.60
Gravedad 2.0
BAJA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:apache:mod_jk:1.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.9:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.10:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.11:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.12:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.13:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.14:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.14.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.15:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.16:*:*:*:*:*:*:* | ||
| cpe:2.3:a:apache:mod_jk:1.2.17:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página
Referencias a soluciones, herramientas e información
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
- http://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%3C49DBBAC0.2080400%40apache.org%3E
- http://marc.info/?l=tomcat-dev&m=123913700700879
- http://secunia.com/advisories/29283
- http://secunia.com/advisories/34621
- http://secunia.com/advisories/35537
- http://securitytracker.com/id?1022001=
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1
- http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?r1=702387&r2=702540&pathrev=702540&diff_format=h
- http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=markup&pathrev=702540
- http://svn.eu.apache.org/viewvc?view=rev&revision=702540
- http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
- http://tomcat.apache.org/security-jk.html
- http://www.debian.org/security/2009/dsa-1810
- http://www.openwall.com/lists/oss-security/2009/04/08/10
- http://www.redhat.com/support/errata/RHSA-2009-0446.html
- http://www.securityfocus.com/archive/1/502530/100/0/threaded
- http://www.securityfocus.com/bid/34412
- http://www.vupen.com/english/advisories/2009/0973
- https://bugzilla.redhat.com/show_bug.cgi?id=490201
- https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
- http://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%3C49DBBAC0.2080400%40apache.org%3E
- http://marc.info/?l=tomcat-dev&m=123913700700879
- http://secunia.com/advisories/29283
- http://secunia.com/advisories/34621
- http://secunia.com/advisories/35537
- http://securitytracker.com/id?1022001=
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1
- http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?r1=702387&r2=702540&pathrev=702540&diff_format=h
- http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=markup&pathrev=702540
- http://svn.eu.apache.org/viewvc?view=rev&revision=702540
- http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html
- http://tomcat.apache.org/security-jk.html
- http://www.debian.org/security/2009/dsa-1810
- http://www.openwall.com/lists/oss-security/2009/04/08/10
- http://www.redhat.com/support/errata/RHSA-2009-0446.html
- http://www.securityfocus.com/archive/1/502530/100/0/threaded
- http://www.securityfocus.com/bid/34412
- http://www.vupen.com/english/advisories/2009/0973
- https://bugzilla.redhat.com/show_bug.cgi?id=490201
- https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E