Description
The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."
Remediation
References
http://svn.apache.org/viewvc?view=revision&revision=1086349
http://www.securityfocus.com/archive/1/517363
http://tomcat.apache.org/security-7.html
http://seclists.org/fulldisclosure/2011/Apr/97
http://www.securityfocus.com/bid/47199
http://svn.apache.org/viewvc?view=revision&revision=1086352
https://issues.apache.org/bugzilla/show_bug.cgi?id=50957
http://www.vupen.com/english/advisories/2011/0894
http://www.securitytracker.com/id?1025303
http://securityreason.com/securityalert/8188
https://exchange.xforce.ibmcloud.com/vulnerabilities/66676
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12374
Related Vulnerabilities
CVE-2023-29519 Vulnerability in maven package org.xwiki.platform:xwiki-platform-attachment-ui
CVE-2022-36092 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore
CVE-2021-21293 Vulnerability in maven package org.http4s:blaze-core_2.13
CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j
CVE-2020-26217 Vulnerability in maven package com.thoughtworks.xstream:xstream