The IIS/ISAPI specific code in the Apache Tomcat JK ISAPI Connector 1.2.0 to 1.2.42 that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing Tomcat via the reverse proxy.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-1323 from the MITRE CVE dictionary dictionary and NIST NVD.
| CVSS3 Base Score | 7.5 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | None |
| Availability Impact | None |
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat JBoss Core Services 1 | RHSA-2018:1843 | 2018-06-13 |
| Platform | Package | State |
|---|---|---|
| Red Hat JBoss EWS 2 | web | Will not fix |
| Red Hat JBoss EAP 6 | web | Affected |
Vulmon