Advertisement






Apache Tomcat 8.x / 9.x Refactoring Information Disclosure

CVE Category Price Severity
CVE-2017-5651 CWE-200 $5000 High
Author Risk Exploitation Type Date
Unknown High Remote 2017-04-11
CPE
cpe:cpe:/a:apache:tomcat:8.x
CVSS EPSS EPSSP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N 0.02192 0.50148

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017040061

Below is a copy:

Apache Tomcat 8.x / 9.x Refactoring Information DisclosureCVE-2017-5651 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M18
Apache Tomcat 8.5.0 to 8.5.12
Apache Tomcat 8.0.x and earlier are not affected

Description:
The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
regression in the send file processing. If the send file processing
completed quickly, it was possible for the Processor to be added to the
processor cache twice. This could result in the same Processor being
used for multiple requests which in turn could lead to unexpected errors
and/or response mix-up.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M19 or later
- Upgrade to Apache Tomcat 8.5.13 or later

Credit:
This issue was reported publicly as Bug 60918 [1] and the security
implications identified by the Tomcat security team.

History:
2017-04-10 Original advisory

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60918
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html


Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.