The mod_jk component of Apache Tomcat ConnectorsÂ in some circumstances, such as when a configuration includedÂ “JkOptions +ForwardDirectories” but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker.Â Such an implicit mapping could result in the unintended exposure of theÂ status worker and/or bypass security constraints configured in httpd. AsÂ of JK 1.2.49, the implicit mapping functionality has been removed and allÂ mappings must now be via explicit configuration.Â Only mod_jk is affectedÂ by this issue. The ISAPI redirector is not affected.
This issue affects Apache Tomcat Connectors (mod_jk only): from 1.2.0 through 1.2.48.
Users are recommended to upgrade to version 1.2.49, which fixes the issue.Read More