Lucene search

K
cve[email protected]CVE-2018-8037
HistoryAug 02, 2018 - 2:29 p.m.

CVE-2018-8037

2018-08-0214:29:00
CWE-362
web.nvd.nist.gov
213
apache tomcat
cve-2018-8037
race condition
connection closure
async request
container
nio
nio2

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.004

Percentile

75.0%

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Affected configurations

Vulners
NVD
Node
apache_software_foundationapache_strutsRange9.0.0.M99.0.9
OR
apache_software_foundationapache_strutsRange8.5.58.5.31
VendorProductVersionCPE
apachetomcatcpe:/a:apache:tomcat::::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone18::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone20::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone26::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone15::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone25::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone9::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone13::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone19::
apachetomcat9.0.0cpe:/a:apache:tomcat:9.0.0:milestone10::
Rows per page:
1-10 of 211

CNA Affected

[
  {
    "product": "Apache Tomcat",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "status": "affected",
        "version": "9.0.0.M9 to 9.0.9"
      },
      {
        "status": "affected",
        "version": "8.5.5 to 8.5.31"
      }
    ]
  }
]

References

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:N/A:N

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

EPSS

0.004

Percentile

75.0%