CVE-2008-5519 [Low] | Information Disclosure in Mod Jk

The JK Connector (aka mod_jk) 1.2.0 through 1.2.26 in Apache Tomcat allows remote attackers to obtain sensitive information via an arbitrary request from an HTTP client, in opportunistic circumstances involving (1) a request from a different client that included a Content-Length header but no POST data or (2) a rapid series of requests, related to noncompliance with the AJP protocol's requirements for requests containing Content-Length headers.

EDB-ID	Source	Kind	Published	Link
—	nvd_ref	exploit_tag		Exploit-DB ↗

EDB-ID

Source

Kind

Published

Link

—

nvd_ref

exploit_tag

Exploit-DB ↗

#	Date	Old EPSS score	New EPSS score	Delta (New - Old)
1	2026-06-15	4.56%	7.26%	+2.71%
2	2025-12-28	5.79%	4.56%	-1.23%
3	2025-12-27	—	5.79%	—

Date

Old EPSS score

New EPSS score

Delta (New - Old)

2026-06-15

4.56%

7.26%

+2.71%

2025-12-28

5.79%

4.56%

-1.23%

2025-12-27

—

5.79%

—

Base score	Version	Severity	Vector	Exploitability	Impact	Score source
2.6	2.0	LOW	`AV:N/AC:H/Au:N/C:P/I:N/A:N` Click to expand Access vector (AV:N) Can be exploited remotely over network reachability. Access complexity (AC:H) Exploitation requires uncommon or highly specific conditions. Authentication (AU:N) No authentication is required. Confidentiality impact (C:P) Partial confidentiality impact. Integrity impact (I:N) No integrity impact. Availability impact (A:N) No availability impact.	4.9	2.9	[email protected]

Base score

Version

Severity

Vector

Exploitability

Impact

Score source

2.6

2.0

LOW

AV:N/AC:H/Au:N/C:P/I:N/A:N Click to expand

Access vector (AV:N): Can be exploited remotely over network reachability.
Access complexity (AC:H): Exploitation requires uncommon or highly specific conditions.
Authentication (AU:N): No authentication is required.
Confidentiality impact (C:P): Partial confidentiality impact.
Integrity impact (I:N): No integrity impact.
Availability impact (A:N): No availability impact.

4.9

2.9

[email protected]

OS Trackers for CVE-2008-5519

vendor	priority	summary	link
`debian`	not yet assigned	CVE-2008-5519 not yet assigned priority: Debian including 1 source packages (libapache-mod-jk), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5.	https://security-tracker.debian.org/tracker/CVE-2008-5519
`gentoo`	low	CVE-2008-5519: 1 GLSA(s) (200906-04), 1 atom(s) (www-apache/mod_jk); latest impact low.	https://bugs.gentoo.org/buglist.cgi?quicksearch=CVE-2008-5519
`redhat`	high	—	https://access.redhat.com/security/cve/CVE-2008-5519
`ubuntu`	low	CVE-2008-5519 low priority: Ubuntu including 1 source packages (libapache-mod-jk), 10 status rows across 10 suites (dapper, hardy, intrepid, jaunty, karmic, lucid, maverick, natty, oneiric, upstream): not-affected 5, released 3, ignored 2.	https://ubuntu.com/security/CVE-2008-5519

Affected software / configurations for CVE-2008-5519

Vendor	Product	Version	Raw CPE
apache	mod_jk	1.2	cpe:2.3:a:apache:mod_jk:1.2:::::::*
apache	mod_jk	1.2.1	cpe:2.3:a:apache:mod_jk:1.2.1:::::::*
apache	mod_jk	1.2.6	cpe:2.3:a:apache:mod_jk:1.2.6:::::::*
apache	mod_jk	1.2.7	cpe:2.3:a:apache:mod_jk:1.2.7:::::::*
apache	mod_jk	1.2.8	cpe:2.3:a:apache:mod_jk:1.2.8:::::::*
apache	mod_jk	1.2.9	cpe:2.3:a:apache:mod_jk:1.2.9:::::::*
apache	mod_jk	1.2.10	cpe:2.3:a:apache:mod_jk:1.2.10:::::::*
apache	mod_jk	1.2.11	cpe:2.3:a:apache:mod_jk:1.2.11:::::::*
apache	mod_jk	1.2.12	cpe:2.3:a:apache:mod_jk:1.2.12:::::::*
apache	mod_jk	1.2.13	cpe:2.3:a:apache:mod_jk:1.2.13:::::::*
apache	mod_jk	1.2.14	cpe:2.3:a:apache:mod_jk:1.2.14:::::::*
apache	mod_jk	1.2.14.1	cpe:2.3:a:apache:mod_jk:1.2.14.1:::::::*
apache	mod_jk	1.2.15	cpe:2.3:a:apache:mod_jk:1.2.15:::::::*
apache	mod_jk	1.2.16	cpe:2.3:a:apache:mod_jk:1.2.16:::::::*
apache	mod_jk	1.2.17	cpe:2.3:a:apache:mod_jk:1.2.17:::::::*
apache	mod_jk	1.2.18	cpe:2.3:a:apache:mod_jk:1.2.18:::::::*
apache	mod_jk	1.2.19	cpe:2.3:a:apache:mod_jk:1.2.19:::::::*
apache	mod_jk	1.2.20	cpe:2.3:a:apache:mod_jk:1.2.20:::::::*
apache	mod_jk	1.2.21	cpe:2.3:a:apache:mod_jk:1.2.21:::::::*
apache	mod_jk	1.2.22	cpe:2.3:a:apache:mod_jk:1.2.22:::::::*
apache	mod_jk	1.2.23	cpe:2.3:a:apache:mod_jk:1.2.23:::::::*
apache	mod_jk	1.2.24	cpe:2.3:a:apache:mod_jk:1.2.24:::::::*
apache	mod_jk	1.2.25	cpe:2.3:a:apache:mod_jk:1.2.25:::::::*
apache	mod_jk	1.2.26	cpe:2.3:a:apache:mod_jk:1.2.26:::::::*
apache	tomcat	4.0.0	cpe:2.3:a:apache:tomcat:4.0.0:::::::*
apache	tomcat	4.0.1	cpe:2.3:a:apache:tomcat:4.0.1:::::::*
apache	tomcat	4.0.2	cpe:2.3:a:apache:tomcat:4.0.2:::::::*
apache	tomcat	4.0.3	cpe:2.3:a:apache:tomcat:4.0.3:::::::*
apache	tomcat	4.0.4	cpe:2.3:a:apache:tomcat:4.0.4:::::::*
apache	tomcat	4.0.5	cpe:2.3:a:apache:tomcat:4.0.5:::::::*
apache	tomcat	4.0.6	cpe:2.3:a:apache:tomcat:4.0.6:::::::*
apache	tomcat	4.1.0	cpe:2.3:a:apache:tomcat:4.1.0:::::::*
apache	tomcat	4.1.1	cpe:2.3:a:apache:tomcat:4.1.1:::::::*
apache	tomcat	4.1.2	cpe:2.3:a:apache:tomcat:4.1.2:::::::*
apache	tomcat	4.1.3	cpe:2.3:a:apache:tomcat:4.1.3:::::::*
apache	tomcat	4.1.3	cpe:2.3:a:apache:tomcat:4.1.3:beta::::::
apache	tomcat	4.1.4	cpe:2.3:a:apache:tomcat:4.1.4:::::::*
apache	tomcat	4.1.5	cpe:2.3:a:apache:tomcat:4.1.5:::::::*
apache	tomcat	4.1.6	cpe:2.3:a:apache:tomcat:4.1.6:::::::*
apache	tomcat	4.1.7	cpe:2.3:a:apache:tomcat:4.1.7:::::::*
apache	tomcat	4.1.8	cpe:2.3:a:apache:tomcat:4.1.8:::::::*
apache	tomcat	4.1.9	cpe:2.3:a:apache:tomcat:4.1.9:::::::*
apache	tomcat	4.1.9	cpe:2.3:a:apache:tomcat:4.1.9:beta::::::
apache	tomcat	4.1.10	cpe:2.3:a:apache:tomcat:4.1.10:::::::*
apache	tomcat	4.1.11	cpe:2.3:a:apache:tomcat:4.1.11:::::::*
apache	tomcat	4.1.12	cpe:2.3:a:apache:tomcat:4.1.12:::::::*
apache	tomcat	4.1.13	cpe:2.3:a:apache:tomcat:4.1.13:::::::*
apache	tomcat	4.1.14	cpe:2.3:a:apache:tomcat:4.1.14:::::::*
apache	tomcat	4.1.15	cpe:2.3:a:apache:tomcat:4.1.15:::::::*
apache	tomcat	4.1.16	cpe:2.3:a:apache:tomcat:4.1.16:::::::*
apache	tomcat	4.1.17	cpe:2.3:a:apache:tomcat:4.1.17:::::::*
apache	tomcat	4.1.18	cpe:2.3:a:apache:tomcat:4.1.18:::::::*
apache	tomcat	4.1.19	cpe:2.3:a:apache:tomcat:4.1.19:::::::*
apache	tomcat	4.1.20	cpe:2.3:a:apache:tomcat:4.1.20:::::::*
apache	tomcat	4.1.21	cpe:2.3:a:apache:tomcat:4.1.21:::::::*
apache	tomcat	4.1.22	cpe:2.3:a:apache:tomcat:4.1.22:::::::*
apache	tomcat	4.1.23	cpe:2.3:a:apache:tomcat:4.1.23:::::::*
apache	tomcat	4.1.24	cpe:2.3:a:apache:tomcat:4.1.24:::::::*
apache	tomcat	4.1.25	cpe:2.3:a:apache:tomcat:4.1.25:::::::*
apache	tomcat	4.1.26	cpe:2.3:a:apache:tomcat:4.1.26:::::::*
apache	tomcat	4.1.27	cpe:2.3:a:apache:tomcat:4.1.27:::::::*
apache	tomcat	4.1.28	cpe:2.3:a:apache:tomcat:4.1.28:::::::*
apache	tomcat	4.1.29	cpe:2.3:a:apache:tomcat:4.1.29:::::::*
apache	tomcat	4.1.30	cpe:2.3:a:apache:tomcat:4.1.30:::::::*
apache	tomcat	4.1.31	cpe:2.3:a:apache:tomcat:4.1.31:::::::*
apache	tomcat	4.1.32	cpe:2.3:a:apache:tomcat:4.1.32:::::::*
apache	tomcat	4.1.33	cpe:2.3:a:apache:tomcat:4.1.33:::::::*
apache	tomcat	4.1.34	cpe:2.3:a:apache:tomcat:4.1.34:::::::*
apache	tomcat	4.1.35	cpe:2.3:a:apache:tomcat:4.1.35:::::::*
apache	tomcat	4.1.36	cpe:2.3:a:apache:tomcat:4.1.36:::::::*
apache	tomcat	5.0.0	cpe:2.3:a:apache:tomcat:5.0.0:::::::*
apache	tomcat	5.0.1	cpe:2.3:a:apache:tomcat:5.0.1:::::::*
apache	tomcat	5.0.2	cpe:2.3:a:apache:tomcat:5.0.2:::::::*
apache	tomcat	5.0.3	cpe:2.3:a:apache:tomcat:5.0.3:::::::*
apache	tomcat	5.0.4	cpe:2.3:a:apache:tomcat:5.0.4:::::::*
apache	tomcat	5.0.5	cpe:2.3:a:apache:tomcat:5.0.5:::::::*
apache	tomcat	5.0.6	cpe:2.3:a:apache:tomcat:5.0.6:::::::*
apache	tomcat	5.0.7	cpe:2.3:a:apache:tomcat:5.0.7:::::::*
apache	tomcat	5.0.8	cpe:2.3:a:apache:tomcat:5.0.8:::::::*
apache	tomcat	5.0.9	cpe:2.3:a:apache:tomcat:5.0.9:::::::*

References for CVE-2008-5519

URL	Tags
http://lists.opensuse.org/opensuse-security-announce/2009-11/msg00004.html
http://mail-archives.apache.org/mod_mbox/www-announce/200904.mbox/%3C49DBBAC0.2080400%40apache.org%3E
http://marc.info/?l=tomcat-dev&m=123913700700879
http://secunia.com/advisories/29283
http://secunia.com/advisories/34621	Vendor Advisory
http://secunia.com/advisories/35537
http://securitytracker.com/id?1022001
http://sunsolve.sun.com/search/document.do?assetkey=1-26-262468-1
http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/native/common/jk_ajp_common.c?r1=702387&r2=702540&pathrev=702540&diff_format=h	Vendor Advisory
http://svn.eu.apache.org/viewvc/tomcat/connectors/trunk/jk/xdocs/miscellaneous/changelog.xml?view=markup&pathrev=702540	Exploit Vendor Advisory
http://svn.eu.apache.org/viewvc?view=rev&revision=702540	Vendor Advisory
http://tomcat.apache.org/connectors-doc/miscellaneous/changelog.html	Vendor Advisory
http://tomcat.apache.org/security-jk.html	Vendor Advisory
http://www.debian.org/security/2009/dsa-1810
http://www.openwall.com/lists/oss-security/2009/04/08/10
http://www.redhat.com/support/errata/RHSA-2009-0446.html
http://www.securityfocus.com/archive/1/502530/100/0/threaded
http://www.securityfocus.com/bid/34412
http://www.vupen.com/english/advisories/2009/0973
https://bugzilla.redhat.com/show_bug.cgi?id=490201	Vendor Advisory
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E

URL

CVE-2008-5519

Public exploit references (Exploit-DB) for CVE-2008-5519

Exploit prediction scoring system (EPSS) score for CVE-2008-5519

Common vulnerability scoring system (CVSS) metrics for CVE-2008-5519

Weakness enumeration for CVE-2008-5519

OS Trackers for CVE-2008-5519

Affected software / configurations for CVE-2008-5519

References for CVE-2008-5519