CVE-2008-5519

Publication date 9 April 2009

Last updated 24 July 2024

The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libapache-mod-jk	11.10 oneiric	Not affected
	11.04 natty	Not affected
	10.10 maverick	Not affected
	10.04 LTS lucid	Not affected
	9.10 karmic	Not affected
	9.04 jaunty	Fixed 1:1.2.26-2+lenny1build0.9.04.1
	8.10 intrepid	Fixed 1:1.2.26-2+lenny1build0.8.10.1
	8.04 LTS hardy	Ignored
	6.06 LTS dapper	Ignored

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

http://tomcat.apache.org/security-jk.html
https://www.cve.org/CVERecord?id=CVE-2008-5519