Description
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.
Remediation
References
http://www.securityfocus.com/bid/49353
https://issues.apache.org/bugzilla/show_bug.cgi?id=51698
http://secunia.com/advisories/45748
http://www.securitytracker.com/id?1025993
http://securityreason.com/securityalert/8362
http://www.mandriva.com/security/advisories?name=MDVSA-2011:156
http://www.debian.org/security/2012/dsa-2401
http://secunia.com/advisories/49094
http://marc.info/?l=bugtraq&m=132215163318824&w=2
http://marc.info/?l=bugtraq&m=136485229118404&w=2
http://marc.info/?l=bugtraq&m=139344343412337&w=2
http://secunia.com/advisories/57126
http://marc.info/?l=bugtraq&m=133469267822771&w=2
https://exchange.xforce.ibmcloud.com/vulnerabilities/69472
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19465
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14933
http://secunia.com/advisories/48308
http://www.securityfocus.com/archive/1/519466/100/0/threaded
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
Related Vulnerabilities
CVE-2023-36477 Vulnerability in maven package org.xwiki.platform:xwiki-platform-ckeditor-ui
CVE-2019-12043 Vulnerability in maven package org.webjars.bower:remarkable
CVE-2023-6927 Vulnerability in maven package org.keycloak:keycloak-services
CVE-2020-7607 Vulnerability in npm package gulp-styledocco
CVE-2019-9827 Vulnerability in maven package io.hawt:hawtio-system