GHSA-mppv-79ch-vw6q

Source

https://github.com/advisories/GHSA-mppv-79ch-vw6q

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mppv-79ch-vw6q

Aliases

Published

2023-06-21T12:30:19Z

Modified

2024-04-24T19:44:03Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Apache Tomcat vulnerable to information leak

Details

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SENDHEADERS message would be sent for the response which in turn meant that at least one AJP proxy (modproxy_ajp) would use the response headers from the previous request leading to an information leak.

Database specific

{
    "nvd_published_at": "2023-06-21T11:15:09Z",
    "github_reviewed_at": "2023-06-21T22:06:39Z",
    "cwe_ids": [
        "CWE-732"
    ],
    "severity": "HIGH",
    "github_reviewed": true
}

References

Affected packages

Maven

org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

11.0.0-M5

Fixed

11.0.0-M6

Affected versions

11.*

11.0.0-M5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json"

org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

10.1.8

Fixed

10.1.9

Affected versions

10.*

10.1.8

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json"

org.apache.tomcat.embed:tomcat-embed-core

Package

Name: org.apache.tomcat.embed:tomcat-embed-core; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

9.0.74

Fixed

9.0.75

Affected versions

9.*

9.0.74

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json"

org.apache.tomcat:tomcat-coyote

Package

Name: org.apache.tomcat:tomcat-coyote; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type: ECOSYSTEM
Events: Introduced

8.5.88

Fixed

8.5.89

Affected versions

8.*

8.5.88

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json"