CVE-2023-34981 Apache Tomcat - Information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M5
Apache Tomcat 10.1.8
Apache Tomcat 9.0.74
Apache Tomcat 8.5.88

The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 11.0.0-M6 or later
- Upgrade to Apache Tomcat 10.1.9 or later
- Upgrade to Apache Tomcat 9.0.75 or later
- Upgrade to Apache Tomcat 8.5.89 or later

Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc.

2023-06-21 Original advisory


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to