CVE-2024-46544

Published: Sep 23, 2024Modified: Jul 10, 2025

5.9

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Exploitability: 2.5 / Impact: 3.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue.

Affected (2)

Products: Apache: Tomcat Connectors · Debian: Debian Linux

1 product

Tomcat Connectors

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat Connectors	From 1.2.9 to 1.2.50

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 11.0

Related CWEs

Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

References (3)

https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d

Source: security@apache.org

Mailing ListVendor Advisory

http://www.openwall.com/lists/oss-security/2024/09/23/1

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2024/10/msg00010.html

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

Timeline

No history available yet.