Brad Plies

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 7.0.0 through 7.0.11 **Description** The issue arises from the HTTP BIO connector in Apache Tomcat not properly handling HTTP pipelining. This allows remote attackers to potentially read responses intended for other clients by examining the application data in HTTP packets. The problem is related to a mix-up of responses for requests from different users. Changes introduced to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining, leading to unexpected behaviors including the mixing up of responses between requests. While the mix-up in responses was primarily observed between requests from the same user, there is a possibility that responses could be mixed up between requests from different users. **Recommendations** For Apache Tomcat versions 7.0.0 through 7.0.11, update to version 7.0.12 or later to resolve the issue.