H3-2026-0028¶

Apache Tomcat JK Status Manager Exposed

Description¶

The Apache Tomcat JK Status Manager (mod_jk) is publicly accessible without authentication. The JK Status Manager exposes internal infrastructure details, including AJP backend worker configurations, internal IP addresses, URI routing mappings, and connection pool statistics. Attackers can leverage this information to map internal network architecture and to identify further attack vectors.

Impact¶

Unauthenticated attackers can view sensitive internal infrastructure details, including backend AJP worker IP addresses and ports, URI-to-worker mappings that reveal application routing, connection pool statistics, and server version information. This information disclosure aids in reconnaissance for further attacks, such as AJP protocol exploitation (e.g., Ghostcat CVE-2020-1938).

References¶

• Apache Tomcat Connectors - The Apache Tomcat Connector - Reference Guide
• CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
• MITRE ATT&CK Technique: T1018: Remote System Discovery