The Apache Web Server (httpd) specific code that normalised the requested
path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk)
Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only
a sub-set of the URLs supported by Tomcat were exposed via httpd, then it
was possible for a specially constructed request to expose application
functionality through the reverse proxy that was not intended for clients
accessing the application via the reverse proxy. It was also possible in
some configurations for a specially constructed request to bypass the
access controls configured in httpd. While there is some overlap between
this issue and CVE-2018-1323, they are not identical.
Upstream:released (1:1.2.46-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needs-triage)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (1:1.2.46-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (1:1.2.46-1)
Ubuntu 20.04 LTS (Focal Fossa):not-affected (1:1.2.46-1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (1:1.2.46-1)
More Information

Updated: 2020-09-30 18:15:50 UTC (commit eda1df4ebe7485e7354c43399bbed29742d2271d)