csaf_suse - suse-su-2023:4513-1

suse-su-2023:4513-1

Vulnerability from csaf_suse

Published

2023-11-21 16:25

Modified

2023-11-21 16:25

Summary

Security update for apache2-mod_jk

Notes

Title of the patch

Security update for apache2-mod_jk

Description of the patch

This update for apache2-mod_jk fixes the following issues: Update to version 1.2.49: Apache * Retrieve default request id from mod_unique_id. It can also be taken from an arbitrary environment variable by configuring 'JkRequestIdIndicator'. * Don't delegate the generatation of the response body to httpd when the status code represents an error if the request used the HEAD method. * Only export the main module symbol. Visibility of module internal symbols led to crashes when conflicting with library symbols. Based on a patch provided by Josef Čejka. * Remove support for implicit mapping of requests to workers. All mappings must now be explicit. IIS * Set default request id as a GUID. It can also be taken from an arbitrary request header by configuring 'request_id_header'. * Fix non-empty check for the Translate header. Common * Fix compiler warning when initializing and copying fixed length strings. * Add a request id to mod_jk log lines. * Enable configure to find the correct sizes for pid_t and pthread_t when building on MacOS. * Fix Clang 15/16 compatability. Pull request #6 provided by Sam James. * Improve XSS hardening in status worker. * Add additional bounds and error checking when reading AJP messages. Docs * Remove support for the Netscape / Sun ONE / Oracle iPlanet Web Server as the product has been retired. * Remove links to the old JK2 documentation. The JK2 documentation is still available, it is just no longer linked from the current JK documentation. * Restructure subsections in changelog starting with version 1.2.45. Changes for 1.2.47 and 1.2.48 updates: * Add: Apache: Extend trace level logging of method entry/exit to aid debugging of request mapping issues. * Fix: Apache: Fix a bug in the normalization checks that prevented file based requests, such as SSI file includes, from being processed. * Fix: Apache: When using JkAutoAlias, ensure that files that include spaces in their name are accessible. * Update: Common: Update the documentation to reflect that the source code for the Apache Tomcat Connectors has moved from Subversion to Git. * Fix: Common: When using set_session_cookie, ensure that an updated session cookie is issued if the load-balancer has to failover to a different worker. * Update: Common: Update config.guess and config.sub from https://git.savannah.gnu.org/git/config.git. * Update: Common: Update release script for migration to git. Update to version 1.2.46 Fixes: * Apache: Fix regression in 1.2.44 which resulted in socket_connect_timeout to be interpreted in units of seconds instead of milliseconds on platforms that provide poll(). (rjung) * Security: CVE-2018-11759 Connector path traversal [bsc#1114612] Update to version 1.2.45 Fixes: * Correct regression in 1.2.44 that broke request handling for OPTIONS * requests. (rjung) * Improve path parameter parsing so that the session ID specified by the session_path worker property for load-balanced workers can be extracted from a path parameter in any segment of the URI, rather than only from the final segment. (markt) * Apache: Improve path parameter handling so that JkStripSession can remove session IDs that are specified on path parameters in any segment of the URI rather than only the final segment. (markt) * IIS: Improve path parameter handling so that strip_session can remove session IDs that are specified on path parameters in any segment of the URI rather than only the final segment. (markt) Updates: * Apache: Update the documentation to note additional limitations of the JkAutoAlias directive. (markt) Code: * Common: Optimize path parameter handling. (rjung) Update to version 1.2.44 Updates: * Remove the Novell Netware make files and Netware specific source code since there has not been a supported version of Netware available for over five years. (markt) * Apache: Update the documentation to use httpd 2.4.x style access control directives. (markt) * Update PCRE bundled with the ISAPI redirector to 8.42. (rjung) * Update config.guess and config.sub from https://git.savannah.gnu.org/git/config.git. (rjung) Fixes: * Common: Use Local, rather than Global, mutexs on Windows to better support multi-user environments. (markt) * Apache: Use poll rather than select to avoid the limitations of select triggering an httpd crash. Patch provided by Koen Wilde. (markt) * ISAPI: Remove the check that rejects requests that contain path segments that match WEB-INF or META-INF as it duplicates a check that Tomcat performs and, because ISAPI does not have visibility of the current context path, it is impossible to implement this check without valid requests being rejected. (markt) * Refactor normalisation of request URIs to a common location and align the normalisation implementation for mod_jk with that implemented by Tomcat. (markt) Add: * Clarify the behvaiour of lb workers when all ajp13 workers fail with particular reference to the role of the retries attribute. (markt) * Add the new load-balancer worker property lb_retries to improve the control over the number of retries. Based on a patch provided by Frederik Nosi. (markt) * Add a note to the documentation that the CollapseSlashes options are now effectively hard-coded to CollpaseSlashesAll due to the changes made to align normalization with that implemented in Tomcat. (markt)

Patchnames

SUSE-2023-4513,SUSE-SLE-Module-Server-Applications-15-SP4-2023-4513,SUSE-SLE-Module-Server-Applications-15-SP5-2023-4513,openSUSE-SLE-15.4-2023-4513,openSUSE-SLE-15.5-2023-4513

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for apache2-mod_jk",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for apache2-mod_jk fixes the following issues:\n\nUpdate to version 1.2.49:\n  Apache\n    * Retrieve default request id from mod_unique_id. It can also be\n      taken from an arbitrary environment variable by configuring\n      \u0027JkRequestIdIndicator\u0027.\n    * Don\u0027t delegate the generatation of the response body to httpd\n      when the status code represents an error if the request used\n      the HEAD method.\n    * Only export the main module symbol. Visibility of module \n      internal symbols led to crashes when conflicting with library\n      symbols. Based on a patch provided by Josef \u010cejka.\n    * Remove support for implicit mapping of requests to workers. \n      All mappings must now be explicit.\n  IIS\n    * Set default request id as a GUID. It can also be taken from an\n      arbitrary request header by configuring \u0027request_id_header\u0027.\n    * Fix non-empty check for the Translate header.\n  Common\n    * Fix compiler warning when initializing and copying fixed \n      length strings.\n    * Add a request id to mod_jk log lines.\n    * Enable configure to find the correct sizes for pid_t and \n      pthread_t when building on MacOS.\n    * Fix Clang 15/16 compatability. Pull request #6 provided by \n      Sam James.\n    * Improve XSS hardening in status worker.\n    * Add additional bounds and error checking when reading AJP \n      messages.\n  Docs\n    * Remove support for the Netscape / Sun ONE / Oracle iPlanet Web\n      Server as the product has been retired.\n    * Remove links to the old JK2 documentation. The JK2 \n      documentation is still available, it is just no longer linked\n      from the current JK documentation.\n    * Restructure subsections in changelog starting with version \n      1.2.45.\n\nChanges for 1.2.47 and 1.2.48 updates:\n  * Add: Apache: Extend trace level logging of method entry/exit to\n    aid debugging of request mapping issues.\n  * Fix: Apache: Fix a bug in the normalization checks that prevented\n    file based requests, such as SSI file includes, from being processed.\n  * Fix: Apache: When using JkAutoAlias, ensure that files that include\n    spaces in their name are accessible.\n  * Update: Common: Update the documentation to reflect that the source\n    code for the Apache Tomcat Connectors has moved from Subversion to Git.\n  * Fix: Common: When using set_session_cookie, ensure that an updated session\n    cookie is issued if the load-balancer has to failover to a different worker.\n  * Update: Common: Update config.guess and config.sub from\n    https://git.savannah.gnu.org/git/config.git.\n  * Update: Common: Update release script for migration to git.\n\nUpdate to version 1.2.46\n  Fixes:\n    * Apache: Fix regression in 1.2.44 which resulted in\n      socket_connect_timeout to be interpreted in units of seconds\n      instead of milliseconds on platforms that provide poll(). (rjung)\n    * Security: CVE-2018-11759 Connector path traversal [bsc#1114612]\n\nUpdate to version 1.2.45\n  Fixes:\n    * Correct regression in 1.2.44 that broke request handling for\n      OPTIONS * requests. (rjung)\n    * Improve path parameter parsing so that the session ID specified\n      by the session_path worker property for load-balanced workers\n      can be extracted from a path parameter in any segment of the\n      URI, rather than only from the final segment. (markt)\n    * Apache: Improve path parameter handling so that JkStripSession\n      can remove session IDs that are specified on path parameters in any\n      segment of the URI rather than only the final segment. (markt)\n    * IIS: Improve path parameter handling so that strip_session can\n      remove session IDs that are specified on path parameters in any\n      segment of the URI rather than only the final segment. (markt) \n  Updates:\n    * Apache: Update the documentation to note additional\n      limitations of the JkAutoAlias directive. (markt)\n  Code:\n    * Common: Optimize path parameter handling. (rjung)\n\nUpdate to version 1.2.44\n  Updates:\n    * Remove the Novell Netware make files and Netware specific source\n      code since there has not been a supported version of Netware\n      available for over five years. (markt)\n    * Apache: Update the documentation to use httpd 2.4.x style access\n      control directives. (markt)\n    * Update PCRE bundled with the ISAPI redirector to 8.42. (rjung)\n    * Update config.guess and config.sub from\n      https://git.savannah.gnu.org/git/config.git. (rjung)\n  Fixes:\n    * Common: Use Local, rather than Global, mutexs on Windows to\n      better support multi-user environments. (markt)\n    * Apache: Use poll rather than select to avoid the limitations of\n      select triggering an httpd crash. Patch provided by Koen Wilde. (markt)\n    * ISAPI: Remove the check that rejects requests that contain path\n      segments that match WEB-INF or META-INF as it duplicates a check\n      that Tomcat performs and, because ISAPI does not have visibility of\n      the current context path, it is impossible to implement this check\n      without valid requests being rejected. (markt)\n    * Refactor normalisation of request URIs to a common location and align\n      the normalisation implementation for mod_jk with that implemented by\n      Tomcat. (markt)\n  Add:\n    * Clarify the behvaiour of lb workers when all ajp13 workers fail with\n      particular reference to the role of the retries attribute. (markt)\n    * Add the new load-balancer worker property lb_retries to improve the\n      control over the number of retries. Based on a patch provided by\n      Frederik Nosi. (markt)\n    * Add a note to the documentation that the CollapseSlashes options are\n      now effectively hard-coded to CollpaseSlashesAll due to the changes\n      made to align normalization with that implemented in Tomcat. (markt)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2023-4513,SUSE-SLE-Module-Server-Applications-15-SP4-2023-4513,SUSE-SLE-Module-Server-Applications-15-SP5-2023-4513,openSUSE-SLE-15.4-2023-4513,openSUSE-SLE-15.5-2023-4513",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_4513-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2023:4513-1",
        "url": "https://www.suse.com/support/update/announcement/2023/suse-su-20234513-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2023:4513-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-November/017156.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1114612",
        "url": "https://bugzilla.suse.com/1114612"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-11759 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-11759/"
      }
    ],
    "title": "Security update for apache2-mod_jk",
    "tracking": {
      "current_release_date": "2023-11-21T16:25:57Z",
      "generator": {
        "date": "2023-11-21T16:25:57Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2023:4513-1",
      "initial_release_date": "2023-11-21T16:25:57Z",
      "revision_history": [
        {
          "date": "2023-11-21T16:25:57Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
                "product": {
                  "name": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
                  "product_id": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_jk-1.2.49-150100.6.6.1.i586",
                "product": {
                  "name": "apache2-mod_jk-1.2.49-150100.6.6.1.i586",
                  "product_id": "apache2-mod_jk-1.2.49-150100.6.6.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
                "product": {
                  "name": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
                  "product_id": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
                "product": {
                  "name": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
                  "product_id": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
                "product": {
                  "name": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
                  "product_id": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Server Applications 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Server Applications 15 SP4",
                  "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-server-applications:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Server Applications 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Server Applications 15 SP5",
                  "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-server-applications:15:sp5"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.5",
                "product": {
                  "name": "openSUSE Leap 15.5",
                  "product_id": "openSUSE Leap 15.5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64 as component of SUSE Linux Enterprise Module for Server Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le as component of SUSE Linux Enterprise Module for Server Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x as component of SUSE Linux Enterprise Module for Server Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64 as component of SUSE Linux Enterprise Module for Server Applications 15 SP4",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64 as component of SUSE Linux Enterprise Module for Server Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le as component of SUSE Linux Enterprise Module for Server Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x as component of SUSE Linux Enterprise Module for Server Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64 as component of SUSE Linux Enterprise Module for Server Applications 15 SP5",
          "product_id": "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Server Applications 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64 as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64 as component of openSUSE Leap 15.5",
          "product_id": "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
        },
        "product_reference": "apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-11759",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-11759"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
          "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
          "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
          "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
          "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
          "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
          "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
          "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
          "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
          "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
          "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
          "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
          "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
          "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
          "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
          "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-11759",
          "url": "https://www.suse.com/security/cve/CVE-2018-11759"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1114612 for CVE-2018-11759",
          "url": "https://bugzilla.suse.com/1114612"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "SUSE Linux Enterprise Module for Server Applications 15 SP4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "SUSE Linux Enterprise Module for Server Applications 15 SP5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "openSUSE Leap 15.4:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.aarch64",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.ppc64le",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.s390x",
            "openSUSE Leap 15.5:apache2-mod_jk-1.2.49-150100.6.6.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-11-21T16:25:57Z",
          "details": "important"
        }
      ],
      "title": "CVE-2018-11759"
    }
  ]
}

CVE-2018-11759 (GCVE-0-2018-11759)

Vulnerability from cvelistv5

Published

2018-10-31 20:00

Modified

2024-08-05 08:17

Severity ?

CWE

Information Disclosure

Summary

The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical.

References

▼	URL	Tags
	https://www.debian.org/security/2018/dsa-4357	vendor-advisory, x_refsource_DEBIAN
	https://access.redhat.com/errata/RHSA-2019:0367	vendor-advisory, x_refsource_REDHAT
	http://www.securityfocus.com/bid/105888	vdb-entry, x_refsource_BID
	https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad%40%3Cannounce.tomcat.apache.org%3E	x_refsource_MISC
	https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html	mailing-list, x_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:0366	vendor-advisory, x_refsource_REDHAT
	https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
	https://www.oracle.com/security-alerts/cpujan2020.html	x_refsource_MISC
	https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST
	https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Tomcat Connectors	Version: Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T08:17:08.977Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "DSA-4357",
            "tags": [
              "vendor-advisory",
              "x_refsource_DEBIAN",
              "x_transferred"
            ],
            "url": "https://www.debian.org/security/2018/dsa-4357"
          },
          {
            "name": "RHSA-2019:0367",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0367"
          },
          {
            "name": "105888",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/105888"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad%40%3Cannounce.tomcat.apache.org%3E"
          },
          {
            "name": "[debian-lts-announce] 20181217 [SECURITY] [DLA 1609-1] libapache-mod-jk security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html"
          },
          {
            "name": "RHSA-2019:0366",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0366"
          },
          {
            "name": "[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
          },
          {
            "name": "[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
          },
          {
            "name": "[tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Apache Tomcat Connectors",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "status": "affected",
              "version": "Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44"
            }
          ]
        }
      ],
      "datePublic": "2018-10-31T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Information Disclosure",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-02-13T16:10:16",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "name": "DSA-4357",
          "tags": [
            "vendor-advisory",
            "x_refsource_DEBIAN"
          ],
          "url": "https://www.debian.org/security/2018/dsa-4357"
        },
        {
          "name": "RHSA-2019:0367",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0367"
        },
        {
          "name": "105888",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/105888"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad%40%3Cannounce.tomcat.apache.org%3E"
        },
        {
          "name": "[debian-lts-announce] 20181217 [SECURITY] [DLA 1609-1] libapache-mod-jk security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html"
        },
        {
          "name": "RHSA-2019:0366",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0366"
        },
        {
          "name": "[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
        },
        {
          "name": "[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E"
        },
        {
          "name": "[tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@apache.org",
          "ID": "CVE-2018-11759",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Apache Tomcat Connectors",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Apache Software Foundation"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Apache Web Server (httpd) specific code that normalised the requested path before matching it to the URI-worker map in Apache Tomcat JK (mod_jk) Connector 1.2.0 to 1.2.44 did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via httpd, then it was possible for a specially constructed request to expose application functionality through the reverse proxy that was not intended for clients accessing the application via the reverse proxy. It was also possible in some configurations for a specially constructed request to bypass the access controls configured in httpd. While there is some overlap between this issue and CVE-2018-1323, they are not identical."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Information Disclosure"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "DSA-4357",
              "refsource": "DEBIAN",
              "url": "https://www.debian.org/security/2018/dsa-4357"
            },
            {
              "name": "RHSA-2019:0367",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0367"
            },
            {
              "name": "105888",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/105888"
            },
            {
              "name": "https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad@%3Cannounce.tomcat.apache.org%3E",
              "refsource": "MISC",
              "url": "https://lists.apache.org/thread.html/6d564bb0ab73d6b3efdd1d6b1c075d1a2c84ecd84a4159d6122529ad@%3Cannounce.tomcat.apache.org%3E"
            },
            {
              "name": "[debian-lts-announce] 20181217 [SECURITY] [DLA 1609-1] libapache-mod-jk security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2018/12/msg00007.html"
            },
            {
              "name": "RHSA-2019:0366",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0366"
            },
            {
              "name": "[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "https://www.oracle.com/security-alerts/cpujan2020.html",
              "refsource": "MISC",
              "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
            },
            {
              "name": "[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@%3Cdev.tomcat.apache.org%3E"
            },
            {
              "name": "[tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/",
              "refsource": "MLIST",
              "url": "https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c@%3Cdev.tomcat.apache.org%3E"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2018-11759",
    "datePublished": "2018-10-31T20:00:00",
    "dateReserved": "2018-06-05T00:00:00",
    "dateUpdated": "2024-08-05T08:17:08.977Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted