Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests
CVE-2023-42795

5.3MEDIUM

Key Information:

Vendor: Apache
Status: Apache Tomcat
Vendor: CVE Published:; 10 October 2023

Summary

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.

Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

Affected Version(s)

Apache Tomcat 11.0.0-M1 <= 11.0.0-M11

Apache Tomcat 10.1.0-M1 <= 10.1.13

Apache Tomcat 9.0.0-M1 <= 9.0.80

References

https://lists.apache.org/thread/065jfyo583490r9j2v73nhpyx...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/10/10/9

https://www.debian.org/security/2023/dsa-5522

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2023
Vulnerability Reserved
Sep 14, 2023