CVE-2007-1860

Publication date 25 May 2007

Last updated 17 July 2025

Ubuntu priority

mod_jk in Apache Tomcat JK Web Server Connector 1.2.x before 1.2.23 decodes request URLs within the Apache HTTP Server before passing the URL to Tomcat, which allows remote attackers to access protected pages via a crafted prefix JkMount, possibly involving double-encoded .. (dot dot) sequences and directory traversal, a related issue to CVE-2007-0450.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
libapache-mod-jk	8.10 intrepid	Fixed 1.2.23-3
	8.04 LTS hardy	Fixed 1.2.23-3
	7.10 gutsy	Fixed 1.2.23-3
	7.04 feisty	Ignored end of life, was needed
	6.10 edgy	Ignored end of life, was needed
	6.06 LTS dapper	Fixed 1:1.2.14.1-2ubuntu1.1

Notes

jdstrand

LP bug has debdiffs

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
libapache-mod-jk	Debdiff: https://bugs.launchpad.net/ubuntu/+source/libapache-mod-jk/+bug/119739

References

Other references

https://www.cve.org/CVERecord?id=CVE-2007-1860