BIT-tomcat-2023-42795

2024-03-0611:08:01

Google

osv.dev

apache tomcat

information leaking

software upgrade

incomplete cleanup

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.2 Medium

AI Score

Confidence

High

0.01 Low

EPSS

Percentile

83.5%

JSON

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

CPENameOperatorVersion
tomcatle10.1.0-milestone12
tomcatge11.0.0-milestone3
tomcatge9.0.0-milestone11
tomcatge10.1.0-milestone6
tomcatle9.0.0-milestone25
tomcatle9.0.0-milestone6
tomcatge10.1.0-milestone12
tomcatge11.0.0-milestone7
tomcatge9.0.0-milestone25
tomcatge9.0.0-milestone6

Name	Operator	Version
tomcat	le	10.1.0-milestone12
tomcat	ge	11.0.0-milestone3
tomcat	ge	9.0.0-milestone11
tomcat	ge	10.1.0-milestone6
tomcat	le	9.0.0-milestone25
tomcat	le	9.0.0-milestone6
tomcat	ge	10.1.0-milestone12
tomcat	ge	11.0.0-milestone7
tomcat	ge	9.0.0-milestone25
tomcat	ge	9.0.0-milestone6