Hidenobu Hayashi

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M5, 10.1.8, 9.0.74, and 8.5.88 **Description** A regression in the fix for bug 66512 in Apache Tomcat meant that, if a response did not include any HTTP headers, no AJP SEND HEADERS message would be sent for the response. This in turn meant that at least one AJP proxy (mod proxy ajp) would use the response headers from the previous request, leading to an information leak. **Recommendations** For Apache Tomcat versions 11.0.0-M5, 10.1.8, 9.0.74, and 8.5.88, update to a version that includes the fix for bug 66591 to resolve the issue. As a temporary workaround, consider restricting the use of the AJP proxy (mod proxy ajp) until a patch is available. Avoid using the AJP protocol until the issue is resolved.