GHSA-j39c-c8hj-x4j3

Suggest an improvement
Source
https://github.com/advisories/GHSA-j39c-c8hj-x4j3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j39c-c8hj-x4j3/GHSA-j39c-c8hj-x4j3.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j39c-c8hj-x4j3
Aliases
Related
Published
2021-06-16T17:45:29Z
Modified
2024-02-19T05:31:20.661579Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Details

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Database specific
{
    "nvd_published_at": "2021-03-01T12:15:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-03-24T19:53:13Z"
}
References

Affected packages

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0
Fixed
10.0.2

Affected versions

10.*

10.0.0

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0
Fixed
9.0.43

Affected versions

9.*

9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39
9.0.40
9.0.41

Maven / org.apache.tomcat.embed:tomcat-embed-core

Package

Name
org.apache.tomcat.embed:tomcat-embed-core
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.63

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.8
8.5.9
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.16
8.5.19
8.5.20
8.5.21
8.5.23
8.5.24
8.5.27
8.5.28
8.5.29
8.5.30
8.5.31
8.5.32
8.5.33
8.5.34
8.5.35
8.5.37
8.5.38
8.5.39
8.5.40
8.5.41
8.5.42
8.5.43
8.5.45
8.5.46
8.5.47
8.5.49
8.5.50
8.5.51
8.5.53
8.5.54
8.5.55
8.5.56
8.5.57
8.5.58
8.5.59
8.5.60
8.5.61