GoogleOSV:GHSA-H6C8-RG87-F3PCApache Tomcat HTTP BIO Connector Error Discloses Information From Different Requests to Remote Users
The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to “a mix-up of responses for requests from different users.”
References
seclists.org/fulldisclosure/2011/Apr/97
svn.apache.org/viewvc?view=revision&revision=1086349
svn.apache.org/viewvc?view=revision&revision=1086352
tomcat.apache.org/security-7.html
exchange.xforce.ibmcloud.com/vulnerabilities/66676
github.com/apache/tomcat
github.com/apache/tomcat/commit/d2e8f2ede7dea39f75f68384f331f38f094e4ed3
github.com/apache/tomcat/commit/fd8a579e0e2379a84826b11700adf396e4ed2041
issues.apache.org/bugzilla/show_bug.cgi?id=50957
nvd.nist.gov/vuln/detail/CVE-2011-1475
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12374
web.archive.org/web/20120605200856/www.securityfocus.com/bid/47199
web.archive.org/web/20170202012852/www.securityfocus.com/archive/1/517363
web.archive.org/web/20170317142459/www.securitytracker.com/id?1025303
Related
