CVE-2007-6286Sensitive Information Exposure in Apache Tomcat

CWE-200Sensitive Information Exposure6 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
9.5%
top 7.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedFeb 12
Latest updateMay 1

Description

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat31 versions+30

🔴Vulnerability Details

3
GHSA
Apache Tomcat Does Not Properly Handle Empty Requests2022-05-01
OSV
Apache Tomcat Does Not Properly Handle Empty Requests2022-05-01
CVEList
CVE-2007-6286: Apache Tomcat 52008-02-12

📋Vendor Advisories

1
Red Hat
Tomcat5 Data integrity2008-02-08

💬Community

1
Bugzilla
CVE-2007-6286 Tomcat5 Data integrity2008-02-11
CVE-2007-6286 — Sensitive Information Exposure | cvebase