Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-34981

Опубликовано: 21 июн. 2023
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

A flaw was found in Tomcat. If a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent, resulting in at least one AJP based proxy (mod_proxy_ajp) using the response headers from the previous request for the current request, leading to an information leak. The information leaked may give a user sensitive information which is uncontrolled.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6tomcat6Out of support scope
Red Hat Enterprise Linux 7tomcatOut of support scope
Red Hat Enterprise Linux 8pki-deps:10.6/pki-servlet-engineNot affected
Red Hat Enterprise Linux 8tomcatNot affected
Red Hat Enterprise Linux 9pki-servlet-engineNot affected
Red Hat Enterprise Linux 9tomcatNot affected
Red Hat JBoss Web Server 5tomcatNot affected
Red Hat JBoss Web Server 6tomcatNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=2216439tomcat: response headers from the previous request leading to an information leak

EPSS

Процентиль: 46%
0.00231
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-34981

CVSS3: 7.5
ubuntu
почти 2 года назад

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

nvd логотип

CVE-2023-34981

CVSS3: 7.5
nvd
почти 2 года назад

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

debian логотип

CVE-2023-34981

CVSS3: 7.5
debian
почти 2 года назад

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1 ...

github логотип

GHSA-mppv-79ch-vw6q

CVSS3: 7.5
github
почти 2 года назад

Apache Tomcat vulnerable to information leak

fstec логотип

BDU:2023-04867

CVSS3: 7.5
fstec
почти 2 года назад

Уязвимость сервера приложений Apache Tomcat, связанная с отсутствием защиты служебных данных. позволяющая нарушителю получить доступ к конфиденциальной информации

EPSS

Процентиль: 46%
0.00231
Низкий

7.5 High

CVSS3