CVE-2023-34981

CVE	CVE-2023-34981
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2023-06-21 11:15:00 UTC
Updated	2023-07-21 19:20:00 UTC
Description	A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

Problem Types: NVD-CWE-noinfo

Type	Vendor	Product	Version	Update	Edition	Language
Application	Apache	Tomcat	10.1.8	All	All	All
Application	Apache	Tomcat	11.0.0	milestone5	All	All
Application	Apache	Tomcat	8.5.88	All	All	All
Application	Apache	Tomcat	9.0.74	All	All	All

Reference	Source	Link	Tags
403 Forbidden	MISC	security.netapp.com
lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz	MISC	lists.apache.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

150695 Apache Tomcat Information Disclosure Vulnerability (CVE-2023-34981)
20354 Oracle Database 19c Critical Patch Update - July 2023
20355 Oracle Database 21c Critical Patch Update - July 2023
20356 Oracle Database 19c Critical OJVM Patch Update - July 2023
296101 Oracle Solaris 11.4 Support Repository Update (SRU) 59.138.2 Missing (CPUJUL2023)
730829 Apache Tomcat Information disclosure Vulnerability (CVE-2023-34981)
730830 Apache Tomcat Information disclosure Vulnerability (CVE-2023-34981)
730831 Apache Tomcat Information disclosure Vulnerability (CVE-2023-34981)