Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

Mark Thomas Thu, 22 Jun 2023 02:50:54 -0700

On 22/06/2023 00:17, Stefan Mayr wrote:

Hi,
Am 21.06.2023 um 12:20 schrieb Mark Thomas:
CVE-2023-34981 Apache Tomcat - Information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M5
Apache Tomcat 10.1.8
Apache Tomcat 9.0.74
Apache Tomcat 8.5.88

Description:
The fix for bug 66512 introduced a regression that was fixed as bug66591. The regression meant that, if a response did not have any HTTPheaders set, no AJP SEND_HEADERS message would be sent which in turnmeant that at least one AJP based proxy (mod_proxy_ajp) would use theresponse headers from the previous request for the current requestleading to an information leak.
 > ...

Are setups with mod_jk also affected?


Almost certainly but it wasn't explicitly tested.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [SECURITY] CVE-2023-34981 Apache Tomcat - Information disclosure

Reply via email to