An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.
{
"versions": [
{
"introduced": "0"
},
{
"last_affected": "8.5.7"
},
{
"introduced": "0"
},
{
"last_affected": "8.5.8"
},
{
"introduced": "0"
},
{
"last_affected": "8.5.9"
},
{
"introduced": "0"
},
{
"last_affected": "9.0.0-milestone11"
},
{
"introduced": "0"
},
{
"last_affected": "9.0.0-milestone13"
},
{
"introduced": "0"
},
{
"last_affected": "9.0.0-milestone15"
}
]
}