CVE-2016-8745 — Race Condition in Software Foundation Apache Tomcat
Severity
7.5HIGHNVD
EPSS
10.9%
top 6.59%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 10
Latest updateMay 14
Description
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body.…
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages2 packages
🔴Vulnerability Details
4OSV▶
Concurrent Execution using Shared Resource with Improper Synchronization in Apache Tomcat↗2022-05-14
GHSA▶
Concurrent Execution using Shared Resource with Improper Synchronization in Apache Tomcat↗2022-05-14
CVEList▶
CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9↗2017-08-10
OSV▶
CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9↗2017-01-13
📋Vendor Advisories
4💬Community
3Bugzilla
▶
Bugzilla▶
CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing [fedora-all]↗2016-12-12