Description

The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."

Remediation

References

http://svn.apache.org/viewvc?view=revision&revision=1086349

http://www.securityfocus.com/archive/1/517363

http://tomcat.apache.org/security-7.html

http://seclists.org/fulldisclosure/2011/Apr/97

http://www.securityfocus.com/bid/47199

http://svn.apache.org/viewvc?view=revision&revision=1086352

https://issues.apache.org/bugzilla/show_bug.cgi?id=50957

http://www.vupen.com/english/advisories/2011/0894

http://www.securitytracker.com/id?1025303

http://securityreason.com/securityalert/8188

https://exchange.xforce.ibmcloud.com/vulnerabilities/66676

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12374

Related Vulnerabilities

CVE-2018-11787 Vulnerability in maven package org.apache.karaf.webconsole:org.apache.karaf.webconsole.features

CVE-2023-26480 Vulnerability in maven package org.xwiki.platform:xwiki-platform-livedata-macro

CVE-2019-13127 Vulnerability in npm package mxgraph

CVE-2022-29256 Vulnerability in npm package sharp

CVE-2021-39149 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

Critical

Classification

CWE-20

Tags

Patch Vendor Advisory