CVE-2018-8037

Severity

4.8

Description

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8037

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32

https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.10

Project

Apache Tomcat

Category

Information Disclosure

Tags

data

Date Disclosed

2018-07-22

Date Discovered

2018-03-09

Apache Tomcat 9.0.x

First release:

2018-01-18

CVEs:

49

Support Lifecycle:

Maintenance Support

Namespace:

javax

9.0.1 9.0.2 9.0.4 9.0.5 9.0.6 9.0.7 9.0.8

Apache Tomcat 8.5.x

First release:

2016-06-13

CVEs:

66

Support Lifecycle:

Maintenance Support

Namespace:

javax

8.5.3 8.5.4 8.5.5 8.5.6 8.5.8 8.5.9 8.5.11 8.5.12 8.5.13 8.5.14 8.5.15 8.5.16 8.5.19 8.5.20 8.5.21 8.5.23 8.5.24 8.5.27 8.5.28 8.5.29 8.5.30 8.5.31

Apache TomEE 7.0.x

First release:

2016-05-17

CVEs:

111

Support Lifecycle:

Maintenance Support

Namespace:

javax

7.0.1 7.0.2 7.0.3 7.0.4

Feel Vulnerable?

Contact us so we can help you.

First name ^*
Last name ^*
Email ^*
Company ^*
Product ^*
Heard about us from: ^*
Tell us more ^*

Send me a confirmation email

^* These fields are required.