CVE-2018-11759
High PUBLISHEDThe Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK...
Not yet in CISA KEV
Recommended Action
Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
At a Glance
The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.
- CVE Published
- Oct 31, 2018
- Exploitation Reported
- Apr 24, 2025
- CVSS
- 7.5 High
- EPSS
- —
Affected Versions
| Vendor | Product | Version | Status |
|---|---|---|---|
| Apache Software Foundation |
Apache Tomcat Connectors
|
Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 |
Affected |
CVE References
- DSA-4357 debian.org · Vendor Advisory https://www.debian.org/security/2018/dsa-4357
- RHSA-2019:0367 access.redhat.com · Vendor Advisory https://access.redhat.com/errata/RHSA-2019:0367
- RHSA-2019:0366 access.redhat.com · Vendor Advisory https://access.redhat.com/errata/RHSA-2019:0366
- 105888 securityfocus.com · VDB Entry http://www.securityfocus.com/bid/105888
- [debian-lts-announce] 20181217 [SECURITY] [DLA 1609-1] libapache-mod-jk security update lists.debian.org · Mailing List https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html
Show 8 more references
- [tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ lists.apache.org · Mailing List https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620d...
- [tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ lists.apache.org · Mailing List https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec5486...
- [tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ lists.apache.org · Mailing List https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21...
- [tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ lists.apache.org · Mailing List https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143...
- [tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/ lists.apache.org · Mailing List https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10...
- [tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/ lists.apache.org · Mailing List https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80...
- Apache Mailing List lists.apache.org · CVE Record https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a...
- oracle.com/security-alerts/cpujan2020.html oracle.com · CVE Record https://www.oracle.com/security-alerts/cpujan2020.html
Recommended Actions
- Prioritize remediation. Validate affected assets and apply vendor fixes on an accelerated timeline.
- Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
- Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.
Known Exploited Vulnerability Sources
Catalogues that list this CVE as a known exploited vulnerability.
Per-source evidence links for KEV attestations are available through the KEVIntel Pro API.
Learn about Pro API access| Source | Added |
|---|---|
| The Shadowserver First | 2025-04-24 00:00 UTC |
Scanner Artifacts
Nuclei and Metasploit references linked to this CVE.
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-11759.yaml | Apr 25, 2025 |
Virtual Patch
Compensating WAF rules to help reduce exposure to this CVE. Rule content and deployable vendor exports are available with KEVIntel Enterprise.
KEVIntel does not currently have a virtual patch for this CVE. When available, KEVIntel virtual patches ship as deployable ModSecurity, Cloudflare, and AWS WAF rules.
Enterprise feature. Virtual patch rule content and deployable vendor exports (ModSecurity, Cloudflare, AWS WAF) are available to KEVIntel Enterprise users.
CVSS Scores
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
AV:N/AC:L/Au:N/C:P/I:N/A:N
Exploitation Status
Exploited in the wild
Recorded 2025-04-24 00:00:00 UTC · The Shadowserver
Proof of concept available
Recorded 2018-11-01 09:11:07 UTC · GitHub
Scanner Integrations
| Scanner | Reference | Detected |
|---|---|---|
| Nuclei | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-11759.yaml | Apr 25, 2025 |
Potential Proof of Concepts
These PoCs are unverified and could contain malware. Use at your own risk.
github · Created 2024-04-18 14:28:11 UTC · 0 stars
github · Created 2018-12-08 02:32:14 UTC · 5 stars
This exploit for CVE 2018-11759, vulnerability in apache mod_jk, module for load-balancer
github · Created 2018-11-01 09:11:07 UTC · 41 stars
Proof of concept showing how to exploit the CVE-2018-11759
nuclei · Created Unknown
Timeline
Key exploitation, disclosure, scanner coverage, and KEV attestation events for this CVE.
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Nuclei template available
Scanner coverage available
-
00:00 UTC about 1 year ago00:00 UTC · about 1 year ago
Added to KEVIntel KEV Feed
High-confidence, third-party attested exploitation
-
09:11 UTC over 7 years ago09:11 UTC · over 7 years ago
Public PoC available
Public proof-of-concept code published
-
20:00 UTC over 7 years ago20:00 UTC · over 7 years ago
CVE published
Vulnerability disclosed publicly
-
00:00 UTC about 8 years ago00:00 UTC · about 8 years ago
CVE ID reserved
Identifier reserved by the CNA
Automate This Intelligence with the Pro API
Confidence scoring, exploit status, sensor telemetry, PoCs, scanner integrations, mentions, and tags are available programmatically for VM, SOC, and CTI workflows.
Pro API Example
GET /api/v2/pro/kevs/CVE-2018-11759
{
"cve_id": "CVE-2018-11759",
"title": "The Apache Web Server (httpd) specific code that normalised the requested pat...",
"affected_vendor": "Apache Software Foundation",
"affected_product": "Apache Tomcat Connectors",
"affected_versions": [
{ "vendor": "...", "product": "...", "status": "affected", "display_label": "..." }
],
"confidence": "High",
"cvss_score": 7.5,
"epss_score": null,
"exploit_status": {
"exploited_in_the_wild": true,
"active_exploitation_observed": false
},
"sensor_telemetry": { "...": "Pro API fields" },
"proof_of_concepts": [ "..." ],
"scanner_integrations": [ "..." ]
}