Bug 1215301 (CVE-2023-41081)

Summary: VUL-0: CVE-2023-41081: apache2-mod_jk: information disclosure
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Gus Kenion <gus.kenion>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gianluca.gabrielli, gus.kenion, jreuter, meissner, postadal, security-team, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/378139/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-41081:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2023-09-13 11:36:35 UTC 
CVE-2023-41081

Posted by Mark Thomas on Sep 13CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48

Description:
In some circumstances, such as when a configuration included
"JkOptions +ForwardDirectories" but the configuration did not provide 
explicit mounts for all possible proxied requests, mod_jk would use an 
implicit...

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-41081
https://seclists.org/oss-sec/2023/q3/176
Comment 4 Gus Kenion 2023-11-13 10:02:39 UTC 
Submitted change request 312326, which addresses this issue with an update to version 1.2.49.
Comment 9 Maintenance Automation 2024-04-10 12:30:01 UTC 
SUSE-SU-2024:1198-1: An update that solves one vulnerability and has two security fixes can now be installed.

Category: security (moderate)
Bug References: 1167896, 1206261, 1215301
CVE References: CVE-2023-41081
Maintenance Incident: [SUSE:Maintenance:33158](https://smelt.suse.de/incident/33158/)
Sources used:
SUSE Linux Enterprise High Performance Computing 12 SP5 (src):
 apache2-mod_jk-1.2.49-7.9.1
SUSE Linux Enterprise Server 12 SP5 (src):
 apache2-mod_jk-1.2.49-7.9.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src):
 apache2-mod_jk-1.2.49-7.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.