CVE-2024-46544

low-risk

Published 2024-09-23

Incorrect Default Permissions vulnerability in Apache Tomcat Connectors allows local users to view and modify shared memory containing mod_jk configuration which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors: from 1.2.9-beta through 1.2.49. Only mod_jk on Unix like systems is affected. Neither the ISAPI redirector nor mod_jk on Windows is affected. Users are recommended to upgrade to version 1.2.50, which fixes the issue.

Do I need to act?

0.04% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

LOCAL / LOW complexity

Affected Products (2)

Tomcat Connectors

Debian Linux

Affected Vendors

Debian Apache

References (3)

Mailing List https://lists.apache.org/thread/q1gp7cc38hs1r8gj8gfnopwznd5fpr4d

Mailing List http://www.openwall.com/lists/oss-security/2024/09/23/1

Mailing List https://lists.debian.org/debian-lts-announce/2024/10/msg00010.html

/ 100

low-risk

Severity 19/34 · Moderate

Exploitability 0/34 · Minimal

Exposure 7/34 · Low