Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-34981

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

Published

2023-06-21T11:15:09.410

Last Modified

2024-11-21T08:07:46.027

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-732

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	apache	tomcat	8.5.88	Yes
Application	apache	tomcat	9.0.74	Yes
Application	apache	tomcat	10.1.8	Yes
Application	apache	tomcat	11.0.0	Yes

References

https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz Mailing List, Vendor Advisory ([email protected])
https://security.netapp.com/advisory/ntap-20230714-0003/ Third Party Advisory ([email protected])
https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz Mailing List, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230714-0003/ Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)