GHSA-vvw4-rfwf-p6hx

Suggest an improvement
Source
https://github.com/advisories/GHSA-vvw4-rfwf-p6hx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vvw4-rfwf-p6hx/GHSA-vvw4-rfwf-p6hx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vvw4-rfwf-p6hx
Aliases
Published
2022-02-09T22:58:06Z
Modified
2024-03-11T16:46:30.999148Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
Details

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

Database specific
{
    "nvd_published_at": "2020-12-03T19:15:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-12T16:06:44Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat-coyote

Package

Name
org.apache.tomcat:tomcat-coyote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
10.0.0-M1
Fixed
10.0.0-M10

Affected versions

10.*

10.0.0-M1
10.0.0-M3
10.0.0-M4
10.0.0-M5
10.0.0-M6
10.0.0-M7
10.0.0-M8
10.0.0-M9

Maven / org.apache.tomcat:tomcat-coyote

Package

Name
org.apache.tomcat:tomcat-coyote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
9.0.0-M1
Fixed
9.0.40

Affected versions

9.*

9.0.0.M1
9.0.0.M3
9.0.0.M4
9.0.0.M6
9.0.0.M8
9.0.0.M9
9.0.0.M10
9.0.0.M11
9.0.0.M13
9.0.0.M15
9.0.0.M17
9.0.0.M18
9.0.0.M19
9.0.0.M20
9.0.0.M21
9.0.0.M22
9.0.0.M25
9.0.0.M26
9.0.0.M27
9.0.1
9.0.2
9.0.4
9.0.5
9.0.6
9.0.7
9.0.8
9.0.10
9.0.11
9.0.12
9.0.13
9.0.14
9.0.16
9.0.17
9.0.19
9.0.20
9.0.21
9.0.22
9.0.24
9.0.26
9.0.27
9.0.29
9.0.30
9.0.31
9.0.33
9.0.34
9.0.35
9.0.36
9.0.37
9.0.38
9.0.39

Maven / org.apache.tomcat:tomcat-coyote

Package

Name
org.apache.tomcat:tomcat-coyote
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat-coyote

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.5.0
Fixed
8.5.60

Affected versions

8.*

8.5.0
8.5.2
8.5.3
8.5.4
8.5.5
8.5.6
8.5.8
8.5.9
8.5.11
8.5.12
8.5.13
8.5.14
8.5.15
8.5.16
8.5.19
8.5.20
8.5.21
8.5.23
8.5.24
8.5.27
8.5.28
8.5.29
8.5.30
8.5.31
8.5.32
8.5.33
8.5.34
8.5.35
8.5.37
8.5.38
8.5.39
8.5.40
8.5.41
8.5.42
8.5.43
8.5.45
8.5.46
8.5.47
8.5.49
8.5.50
8.5.51
8.5.53
8.5.54
8.5.55
8.5.56
8.5.57
8.5.58
8.5.59