Apache Tomcat: AJP response header mix-up
CVE-2023-34981

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 21 June 2023

Summary

A regression in the security fix related to a previous bug within Apache Tomcat has introduced a vulnerability that can lead to information disclosure. Specifically, when the response lacks HTTP headers, the AJP SEND_HEADERS message is not sent. This omission allows at least one AJP proxy (mod_proxy_ajp) to unintentionally reuse the response headers from prior requests. This misbehavior could result in sensitive information being exposed, compromising the server's overall security.

Affected Version(s)

Apache Tomcat 11.0.0-M5

Apache Tomcat 10.1.8

Apache Tomcat 9.0.74

References

https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxh...

vendor-advisory

https://security.netapp.com/advisory/ntap-20230714-0003/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jun 21, 2023
Vulnerability Reserved
Jun 8, 2023

Credit

Hidenobu Hayashi and Yuichiro Fukubayashi of M3, Inc.