The Apache Web Server (httpd) specific code that normalised the requested
path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk)
Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only
a sub-set of the URLs supported by Tomcat were exposed via httpd, then it
was possible for a specially constructed request to expose application
functionality through the reverse proxy that was not intended for clients
accessing the application via the reverse proxy. It was also possible in
some configurations for a specially constructed request to bypass the
access controls configured in httpd. While there is some overlap between
this issue and CVE-2018-1323, they are not identical.
Upstream:released (1:1.2.46-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):needs-triage
Ubuntu 16.04 LTS (Xenial Xerus):needs-triage
Ubuntu 18.04 LTS (Bionic Beaver):needs-triage
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (1:1.2.46-1)
Ubuntu 19.04 (Disco Dingo):not-affected
More Information

Updated: 2019-01-14 21:29:11 UTC (commit 51f9b73af244ba86b9321e46e526586c25a8e060)