PT-2008-1546 · Apache · Apache Tomcat

Published

2008-02-08

Updated

2022-05-01

CVE-2007-6286

CVSS v2.0

4.3

Medium

Vector

AV:N/AC:M/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.11 through 5.5.25 Apache Tomcat versions 6.0.0 through 6.0.15

Description The issue arises when the native APR connector is used, and an empty request is sent to the SSL port. This can cause the handling of a duplicate copy of one of the recent requests, potentially leading to unintended behavior. This can be demonstrated by using netcat to send an empty request to the SSL port and then disconnecting without sending any data.

Recommendations For Apache Tomcat versions 5.5.11 through 5.5.25, consider disabling the native APR connector until a patch is available. For Apache Tomcat versions 6.0.0 through 6.0.15, consider disabling the native APR connector until a patch is available.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2007-6286

GHSA-QRJ4-RMQG-4HCP

Affected Products

Apache Tomcat

PT-2008-1546 · Apache · Apache Tomcat

CVE-2007-6286

Weakness Enumeration

Related Identifiers

Affected Products

References · 38