CVE-2016-8747

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.7 through 8.5.9 Apache Tomcat versions 9.0.0.M11 through 9.0.0.M15

Description An information disclosure issue was discovered in Apache Tomcat in reverse-proxy configurations, allowing remote attackers to read data intended for a different request. The issue is caused by a regression introduced by the refactoring to make wider use of ByteBuffer, which could cause information to leak between requests on the same connection. All HTTP connector variants are affected.

Recommendations For Apache Tomcat versions 8.5.7 through 8.5.9, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 9.0.0.M11 through 9.0.0.M15, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting the use of HTTP connector variants to minimize the risk of information leakage between users.