7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0.004 Low
EPSS
Percentile
74.6%
tomcat-coyote is vulnerable to Information Disclosure. The vulnerability exists because the library does not send an AJP SEND_HEADERS
message when the HTTP response header is not set, which allows an attacker to use AJP based proxy (mod_proxy_ajp) for the current request from the previous response request, leading to an information leak.
bz.apache.org/bugzilla/show_bug.cgi?id=66512
bz.apache.org/bugzilla/show_bug.cgi?id=66591
github.com/apache/tomcat/commit/327c0d77470e40ede3853fb452a78b4144258c19
github.com/apache/tomcat/commit/3f379d417ebba69af1f3f48df52e64a2a6f5e283
github.com/apache/tomcat/commit/e239c5dbb07e70d1d6298e6f066b4f69d6df39df
github.com/apache/tomcat/commit/ed6d4ccd59ec2e1c99bf0d3533219292f2107fde
lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
security.netapp.com/advisory/ntap-20230714-0003/