CVE-2023-41081

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-41081
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-09-13 10:15:00 UTC
Updated2023-09-29 00:15:00 UTC
DescriptionImportant: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of JK 1.2.49, the implicit mapping functionality has been removed and all mappings must now be via explicit configuration. Only mod_jk is affected by this issue. The ISAPI redirector is not affected. This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48. Users are recommended to upgrade to version 1.2.49, which fixes the issue. History 2023-09-13 Original advisory 2023-09-28 Updated summary

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Apache Tomcat Connectors All All All All

References

ReferenceSourceLinkTags
oss-security - [SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure MISC www.openwall.com
oss-security - CVE-2023-41081: Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request [CORRECTION] MISC www.openwall.com
[SECURITY] [DLA 3580-1] libapache-mod-jk security update MISC lists.debian.org
oss-security - [SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure MISC www.openwall.com
lists.apache.org/thread/rd1r26w7271jyqgzr4492tooyt583d8b MISC lists.apache.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 242553 Red Hat Update for JBoss Core Services (RHSA-2023:7625)
  • 6000159 Debian Security Update for libapache-mod-jk (DLA 3580-1)
  • 756105 SUSE Enterprise Linux Security Update for apache2-mod_jk (SUSE-SU-2024:1198-1)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report