CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
74.2%
If an async request was completed by the application at the same time as
the container triggered the async timeout, a race condition existed that
could result in a user seeing a response intended for a different user. An
additional issue was present in the NIO and NIO2 connectors that did not
correctly track the closure of the connection when an async request was
completed by the application and timed out by the container at the same
time. This could also result in a user seeing a response intended for
another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5
to 8.5.31.
Author | Note |
---|---|
debian | Vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
74.2%