GHSA-qrj4-rmqg-4hcp

Source

https://github.com/advisories/GHSA-qrj4-rmqg-4hcp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qrj4-rmqg-4hcp/GHSA-qrj4-rmqg-4hcp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qrj4-rmqg-4hcp

Aliases

CVE-2007-6286

Published

2022-05-01T18:41:17Z

Modified

2023-11-08T03:56:49.352103Z

Summary

Apache Tomcat Does Not Properly Handle Empty Requests

Details

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

Database specific

{
    "nvd_published_at": "2008-02-12T01:00:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-22T21:07:18Z"
}

References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

5.5.11

Last affected

5.5.25

Maven / org.apache.tomcat:tomcat

Package

Name: org.apache.tomcat:tomcat; View open source insights on deps.dev
Purl: pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Last affected

6.0.15