Bug 2216439 (CVE-2023-34981) - CVE-2023-34981 tomcat: response headers from the previous request leading to an information leak
Summary: CVE-2023-34981 tomcat: response headers from the previous request leading to ...
Keywords:
Status: NEW
Alias: CVE-2023-34981
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2216886 2216887 2216925 2216926 2216927 2216928 2216929 2216930
Blocks: 2216438
TreeView+ depends on / blocked
 
Reported: 2023-06-21 11:34 UTC by ybuenos
Modified: 2024-03-08 18:04 UTC (History)
8 users (show)

Fixed In Version: tomcat 8.5.88, tomcat 9.0.74, tomcat 10.1.8, tomcat 11.0.0
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Tomcat. If a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent, resulting in at least one AJP based proxy (mod_proxy_ajp) using the response headers from the previous request for the current request, leading to an information leak. The information leaked may give a user sensitive information which is uncontrolled.
Clone Of:
Environment:
Last Closed: 2023-06-23 08:41:51 UTC
Embargoed:

Attachments (Terms of Use)

Description ybuenos 2023-06-21 11:34:15 UTC 
The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak.

This was fixed with commit 2214c803.

This issue was reported to the Tomcat Security Team on 24 May 2023. The issue was made public on 21 June 2023.

Affects: 8.5.88
Comment 1 Sandipan Roy 2023-06-23 04:11:54 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-37 [bug 2216886]
Affects: fedora-38 [bug 2216887]
Note You need to log in before you can comment on or make changes to this bug.