CVE-2016-8745

Aliases:GHSA-w3j5-q8f2-3cqq
Advisory lineage Upstream: 0 Downstream: 16
Modified
Published: 10 Aug 2017, 22:00
Last modified:14 Nov 2024, 20:02

Vulnerability Summary

Overall Risk (default)
medium
32/100
CVSS Score
7.5 HIGH
v3.0 (nvd)
EPSS Score
10.91% MEDIUM
11% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

10 Aug 2017, 22:00
Published
Vulnerability first disclosed
14 Nov 2024, 20:02
Last Modified
Vulnerability information updated

Description

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

CVSS Metrics

  • v3.0HIGHScore: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 10.91% Percentile: 94%

Techniques & Countermeasures

  • CWE-3887PK - Errors

    This category represents one of the phyla in the Seven Pernicious Kingdoms vulnerability classification. It includes weaknesses that occur when an application does not properly handle errors that occur during processing. According to the authors of the Seven Pernicious Kingdoms, "Errors and error handling represent a class of API. Errors related to error handling are so common that they deserve a special kingdom of their own. As with 'API Abuse,' there are two ways to introduce an error-related security vulnerability: the most common one is handling errors poorly (or not at all). The second is producing errors that either give out too much information (to possible attackers) or are difficult to handle."

Affected Systems

  • apache software foundationapache tomcat

    9.0.0.M1 to 9.0.0.M13 | 8.5.0 to 8.5.8 | 8.0.0.RC1 to 8.0.39 | 7.0.0 to 7.0.73 | 6.0.16 to 6.0.48

  • UnknownTomcat

    7.0.0 | 7.0.1 | 7.0.2 | 7.0.3 | 7.0.4 | 7.0.5 | 7.0.6 | 7.0.7 | 7.0.8 | 7.0.9 | 7.0.11 | 7.0.12 | 7.0.13 | 7.0.14 | 7.0.15 | 7.0.16 | 7.0.17 | 7.0.18 | 7.0.19 | 7.0.20 | 7.0.21 | 7.0.22 | 7.0.23 | 7.0.24 | 7.0.25 | 7.0.26 | 7.0.27 | 7.0.28 | 7.0.29 | 7.0.30 | 7.0.31 | 7.0.32 | 7.0.33 | 7.0.34 | 7.0.35 | 7.0.36 | 7.0.37 | 7.0.38 | 7.0.39 | 7.0.40 | 7.0.41 | 7.0.42 | 7.0.43 | 7.0.44 | 7.0.45 | 7.0.46 | 7.0.47 | 7.0.48 | 7.0.49 | 7.0.50 | 7.0.52 | 7.0.53 | 7.0.54 | 7.0.55 | 7.0.56 | 7.0.57 | 7.0.58 | 7.0.59 | 7.0.60 | 7.0.61 | 7.0.62 | 7.0.63 | 7.0.64 | 7.0.65 | 7.0.66 | 7.0.67 | 7.0.68 | 7.0.69 | 7.0.70 | 7.0.71 | 7.0.72 | 7.0.73 | 8.0 | 8.0.0:rc1 | 8.0.0:rc10 | 8.0.0:rc3 | 8.0.0:rc5 | 8.0.1 | 8.0.2 | 8.0.3 | 8.0.4 | 8.0.5 | 8.0.6 | 8.0.7 | 8.0.8 | 8.0.9 | 8.0.10 | 8.0.11 | 8.0.12 | 8.0.13 | 8.0.14 | 8.0.15 | 8.0.16 | 8.0.17 | 8.0.18 | 8.0.19 | 8.0.20 | 8.0.21 | 8.0.22 | 8.0.23 | 8.0.24 | 8.0.25 | 8.0.26 | 8.0.27 | 8.0.28 | 8.0.29 | 8.0.30 | 8.0.31 | 8.0.32 | 8.0.33 | 8.0.34 | 8.0.35 | 8.0.36 | 8.0.37 | 8.0.38 | 8.0.39 | 8.5.0 | 8.5.1 | 8.5.2 | 8.5.3 | 8.5.4 | 8.5.5 | 8.5.6 | 8.5.7 | 8.5.8 | 9.0.0:milestone1 | 9.0.0:milestone10 | 9.0.0:milestone11 | 9.0.0:milestone12 | 9.0.0:milestone13 | 9.0.0:milestone2 | 9.0.0:milestone3 | 9.0.0:milestone4 | 9.0.0:milestone5 | 9.0.0:milestone6 | 9.0.0:milestone7 | 9.0.0:milestone8 | 9.0.0:milestone9

  • org.apache.tomcattomcat-util

    ≥ 9.0.0.M1, < 9.0.0.M14 | ≥ 8.5.0, < 8.5.9 | ≥ 8.0.0-RC1, < 8.0.41 | ≥ 7.0.0, < 7.0.75 | ≥ 6.0.16, < 6.0.50

References (56)