Lucene search

K
githubGitHub Advisory DatabaseGHSA-QHQV-Q4XG-F6G7
HistoryMay 01, 2022 - 2:15 a.m.

Apache Tomcat AJP Connector Information Leak

2022-05-0102:15:08
CWE-200
GitHub Advisory Database
github.com
8
apache tomcat
ajp connector
information leak
hitachi cosminexus
application server
java servlet pages
software

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.8%

The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when β€œunsuitable request body data” is used for a different request, possibly related to Java Servlet pages.

Affected configurations

Vulners
Node
org.apache.tomcat\Matchtomcat
OR
org.apache.tomcat\Matchtomcat

CVSS2

2.6

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

EPSS

0.009

Percentile

82.8%