PT-2023-4472 · Apache+1 · Apache Tomcat+1
Hidenobu Hayashi
+1
·
Published
2023-05-19
·
Updated
2024-10-09
·
CVE-2023-34981
CVSS v2.0
7.8
High
| Vector | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 11.0.0-M5, 10.1.8, 9.0.74, and 8.5.88
Description
A regression in the fix for bug 66512 in Apache Tomcat meant that, if a response did not include any HTTP headers, no AJP SEND HEADERS message would be sent for the response. This in turn meant that at least one AJP proxy (mod proxy ajp) would use the response headers from the previous request, leading to an information leak.
Recommendations
For Apache Tomcat versions 11.0.0-M5, 10.1.8, 9.0.74, and 8.5.88, update to a version that includes the fix for bug 66591 to resolve the issue.
As a temporary workaround, consider restricting the use of the AJP proxy (mod proxy ajp) until a patch is available.
Avoid using the AJP protocol until the issue is resolved.
Fix
Incorrect Permission
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Tomcat
Red Os