QID 356628
Date Published: 2023-11-09
QID 356628: Amazon Linux Security Advisory for tomcat9 : ALAS2023-2023-415
Incomplete cleanup vulnerability in apache tomcat.
When recycling various internal objects in apache tomcat from 11.0.0-m1 through 11.0.0-m11, from 10.1.0-m1 through 10.1.13, from 9.0.0-m1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-m12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. (
( CVE-2023-42795) improper input validation vulnerability in apache tomcat.
Tomcat from 11.0.0-m1 through 11.0.0-m11, from 10.1.0-m1 through 10.1.13, from 9.0.0-m1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse http trailer headers.
A specially crafted, invalid trailer header could cause tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-m12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. (
( CVE-2023-45648)
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.
Successful exploitation of this vulnerability could lead to a securitybreach or could affect integrity, availability, and confidentiality.
- ALAS2023-2023-415 -
alas.aws.amazon.com/AL2023/ALAS-2023-415.html
CVEs related to QID 356628
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| ALAS2023-2023-415 | amazon linux 2023 |
alas.aws.amazon.com/AL2023/ALAS-2023-415.html |