Fixed in Apache Tomcat 9.0.0.M17

2017-01-1600:00:00

Apache Tomcat

tomcat.apache.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.002

Percentile

56.5%

JSON

Note: The issue below was fixed in Apache Tomcat 9.0.0.M16 but the release vote for the 9.0.0.M16 release candidate did not pass. Therefore, although users must download 9.0.0.M17 to obtain a version that includes the fix for this issue, version 9.0.0.M16 is not included in the list of affected versions.

Moderate: Information Disclosure CVE-2016-8747

The refactoring to make wider use of ByteBuffer introduced a regression that could cause information to leak between requests on the same connection. When running behind a reverse proxy, this could result in information leakage between users. All HTTP connector variants are affected but HTTP/2 and AJP are not affected.

This was fixed in revision 1774161.

This issue was identified by the Apache Tomcat Security Team on 14 December 2016 and made public on 13 March 2017.

Affects: 9.0.0.M11 to 9.0.0.M15