#VU97659 Incorrect default permissions in mod_jk


Vulnerability identifier: #VU97659

Vulnerability risk: Low

CVSSv3.1: 3.9 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-46544

CWE-ID: CWE-276

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
mod_jk
Web applications / Other software

Vendor: Apache Foundation

Description

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions for the memory mapped file configured by the JkShmFile directive on Unix like systems. A local user can view or modify the contents of the shared memory containing mod_jk configuration and status information, which can lead to information disclosure or denial of service.

Mitigation
Install update from vendor's website.

Vulnerable software versions

mod_jk: 1.2.10 - 1.2.49

External links
http://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat Enterprise Linux 9 update for mod_jk
Red Hat Enterprise Linux 9 update for mod_jk
Red Hat Enterprise Linux 9 update for mod_jk
Incorrect default permissions in Apache mod_jk