Back to bug 2216439
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| Product Security DevOps Team | 2023-06-21 21:40:56 UTC | Blocks | 2216438 | |
| Status | NEW | CLOSED | ||
| Resolution | --- | NOTABUG | ||
| Last Closed | 2023-06-21 21:40:56 UTC | |||
| Sandipan Roy | 2023-06-23 04:03:38 UTC | CC | rhcs-maint | |
| Sandipan Roy | 2023-06-23 04:03:55 UTC | Status | CLOSED | NEW |
| Resolution | NOTABUG | --- | ||
| Keywords | Reopened | |||
| Sandipan Roy | 2023-06-23 04:11:48 UTC | Depends On | 2216886, 2216887 | |
| Product Security DevOps Team | 2023-06-23 08:41:51 UTC | Status | NEW | CLOSED |
| Resolution | --- | NOTABUG | ||
| Last Closed | 2023-06-21 21:40:56 UTC | 2023-06-23 08:41:51 UTC | ||
| Sandipan Roy | 2023-06-23 09:37:53 UTC | Status | CLOSED | NEW |
| Alias | TRIAGE-CVE-2023-34981 | CVE-2023-34981 | ||
| Severity | high | medium | ||
| Summary | TRIAGE-CVE-2023-34981 tomcat: information disclosure | CVE-2023-34981 tomcat: response headers from the previous request leading to an information leak | ||
| Priority | high | medium | ||
| Resolution | NOTABUG | --- | ||
| Sandipan Roy | 2023-06-23 09:42:36 UTC | Depends On | 2216926, 2216929, 2216927, 2216928, 2216930, 2216925 | |
| Red Hat Bugzilla | 2023-07-07 08:32:11 UTC | Assignee | security-response-team | nobody |
| Coty Sutherland | 2023-07-07 14:05:58 UTC | CC | saroy | |
| Flags | needinfo?(saroy) | |||
| Sandipan Roy | 2023-07-16 16:44:20 UTC | Flags | needinfo?(saroy) | |
| Patrick Del Bello | 2023-07-31 14:59:01 UTC | Doc Text | A flaw was found under Tomcat. If a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. This information leaked may give a user sensitive information which is uncontrolled. | |
| CC | jclere, mmadzin, peholase, pjindal, szappis | |||
| Priority | medium | high | ||
| Severity | medium | high | ||
| Fixed In Version | tomcat 8.5.88, tomcat 9.0.74, tomcat 10.1.8, tomcat 11.0.0 | |||
| Paige Jung | 2023-07-31 16:04:36 UTC | Doc Text | A flaw was found under Tomcat. If a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak. This information leaked may give a user sensitive information which is uncontrolled. | A flaw was found in Tomcat. If a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent, resulting in at least one AJP based proxy (mod_proxy_ajp) using the response headers from the previous request for the current request, leading to an information leak. The information leaked may give a user sensitive information which is uncontrolled. |
Back to bug 2216439