CVE-2018-11759

HIGH EXPLOITED NUCLEI LAB

Apache Tomcat JK Connector 1.2.0-1.2.44 - Path Traversal via Request Path Normalization

Title source: llm

Exploitation Summary

CVE-2018-11759 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 3 public exploits from researchers including immunIT, Jul10l1r4, julioliraup. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC demonstrates an access bypass vulnerability in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44, where a semicolon in the URL path can bypass restrictions on protected endpoints like the JK status manager interface.

Description

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

Exploits (3)

nomisec WORKING POC 40 stars

by immunIT · poc

https://github.com/immunIT/CVE-2018-11759

View Code ZIP pw:eip

This PoC demonstrates an access bypass vulnerability in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44, where a semicolon in the URL path can bypass restrictions on protected endpoints like the JK status manager interface.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44

No auth needed

Prerequisites: Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 · Access to the target server

MITRE ATT&CK

T1005 - Data from Local System

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER 5 stars

by Jul10l1r4 · poc

https://github.com/Jul10l1r4/Identificador-CVE-2018-11759

View Code ZIP pw:eip

This repository contains a bash script designed to check if instances are vulnerable to CVE-2018-11759. It audits target load balancers and collects details such as internal addresses, ports, and timestamps.

Classification

Scanner 80%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache Traffic Server (versions affected by CVE-2018-11759)

No auth needed

Prerequisites: Target URLs with complete addresses including protocol

MITRE ATT&CK

T1592 - Gather Victim Host Information

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec SCANNER

by julioliraup · poc

https://github.com/julioliraup/Identificador-CVE-2018-11759

View Code ZIP pw:eip

This repository provides a bash script to check if instances are vulnerable to CVE-2018-11759, an information disclosure vulnerability in Apache Struts 2. It collects details about the target load balancer and saves them in a file for audit purposes.

Classification

Scanner 80%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: Apache Struts 2 (versions affected by CVE-2018-11759)

No auth needed

Prerequisites: Target URL with complete address including protocol

MITRE ATT&CK