Coty Sutherland

**Name of the Vulnerable Software and Affected Versions** mod proxy cluster (affected versions not specified) **Description** A flaw exists in mod proxy cluster, specifically a Carriage Return Line Feed (CRLF) injection in the `decodeenc()` function. This allows a remote attacker to bypass input validation. By injecting CRLF sequences into the cluster configuration, an attacker can corrupt the response body of responses from the `/INFO` endpoint. Exploitation requires network access to the MCMP protocol port, but authentication is not needed. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Apache Tomcat Native versions 1.1.23 through 1.1.34 Apache Tomcat Native versions 1.2.0 through 1.2.16 Description: The issue arises when using an OCSP responder, where Apache Tomcat Native did not correctly handle invalid responses. This led to revoked client certificates being incorrectly identified, allowing users to authenticate with revoked certificates when using mutual TLS. Recommendations: For Apache Tomcat Native versions 1.1.23 through 1.1.34, update to a version that correctly handles OCSP responses to prevent authentication with revoked certificates. For Apache Tomcat Native versions 1.2.0 through 1.2.16, update to a version that correctly handles OCSP responses to prevent authentication with revoked certificates. As a temporary workaround, consider disabling OCSP checks until a patch is available.