CVE-2016-8747 — Sensitive Information Exposure in Software Foundation Apache Tomcat

CWE-200 — Sensitive Information Exposure8 documents7 sources

Severity

7.5HIGHNVD

EPSS

3.1%

top 13.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Tomcat Apache Tomcat

Timeline

PublishedMar 14

Latest updateMay 14

Description

An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDapache/tomcat4 versions+3

▶CVEListV5apache_software_foundation/apache_tomcat8.5.7 to 8.5.9, 9.0.0.M11 to 9.0.0.M15+1

Patches

Patch: svn.apache.org ↗Patch: svn.apache.org ↗Patch: svn.apache.org ↗

🔴Vulnerability Details

OSV

Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request↗2022-05-14

▶

GHSA

Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request↗2022-05-14

▶

CVEList

CVE-2016-8747: An information disclosure issue was discovered in Apache Tomcat 8↗2017-03-14

▶

📋Vendor Advisories

Red Hat

tomcat: Information leak between requests on the same connection↗2017-03-13

▶

Apache

Apache tomcat: CVE-2016-8747↗

▶

💬Community

Bugzilla

CVE-2016-8747 tomcat: Information leak between requests on the same connection↗2017-03-14

▶

Bugzilla

CVE-2015-8747 CVE-2015-8748 radicale: Multiple security issues fixed in 1.1↗2016-01-05

▶