CVE-2017-5647

Aliases:GHSA-3gv7-3h64-78cm

Advisory lineage Upstream: 0 Downstream: 16

Downstream

DLA-924-1 DSA-3842-1 DSA-3843-1 MGASA-2017-0117 OPENSUSE-SU-2024:11468-1 OPENSUSE-SU-2024:13441-1

Modified

Published: 17 Apr 2017, 16:00

Last modified:05 Aug 2024, 15:11

Vulnerability Summary

Overall Risk (default)

medium

30/100

CVSS Score

7.5 HIGH

v3.0 (nvd)

EPSS Score

2.27% LOW

2% probability -0.70%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

17 Apr 2017, 16:00

Published

Vulnerability first disclosed

05 Aug 2024, 15:11

Last Modified

Vulnerability information updated

Description

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

CVSS Metrics

v3.0•HIGH•Score: 7.5CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 2.27%• Percentile: 85%

Techniques & Countermeasures

CWE-200•Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Affected Systems

apache software foundation•apache tomcat
9.0.0.M1 to 9.0.0.M18 | 8.5.0 to 8.5.12 | 8.0.0.RC1 to 8.0.42 | 7.0.0 to 7.0.76 | 6.0.0 to 6.0.52
Unknown•Tomcat
6.0.0 | 6.0.1 | 6.0.2 | 6.0.3 | 6.0.4 | 6.0.5 | 6.0.6 | 6.0.7 | 6.0.8 | 6.0.9 | 6.0.10 | 6.0.11 | 6.0.12 | 6.0.13 | 6.0.14 | 6.0.15 | 6.0.16 | 6.0.17 | 6.0.18 | 6.0.19 | 6.0.20 | 6.0.21 | 6.0.22 | 6.0.23 | 6.0.24 | 6.0.25 | 6.0.26 | 6.0.27 | 6.0.28 | 6.0.29 | 6.0.30 | 6.0.31 | 6.0.32 | 6.0.33 | 6.0.34 | 6.0.35 | 6.0.36 | 6.0.37 | 6.0.38 | 6.0.39 | 6.0.40 | 6.0.41 | 6.0.42 | 6.0.43 | 6.0.44 | 6.0.45 | 6.0.46 | 6.0.47 | 6.0.48 | 6.0.49 | 6.0.50 | 6.0.51 | 6.0.52 | 7.0.0 | 7.0.1 | 7.0.2 | 7.0.3 | 7.0.4 | 7.0.5 | 7.0.6 | 7.0.7 | 7.0.8 | 7.0.9 | 7.0.10 | 7.0.11 | 7.0.12 | 7.0.13 | 7.0.14 | 7.0.15 | 7.0.16 | 7.0.17 | 7.0.18 | 7.0.19 | 7.0.20 | 7.0.21 | 7.0.22 | 7.0.23 | 7.0.24 | 7.0.25 | 7.0.26 | 7.0.27 | 7.0.28 | 7.0.29 | 7.0.30 | 7.0.31 | 7.0.32 | 7.0.33 | 7.0.34 | 7.0.35 | 7.0.36 | 7.0.37 | 7.0.38 | 7.0.39 | 7.0.40 | 7.0.41 | 7.0.42 | 7.0.43 | 7.0.44 | 7.0.45 | 7.0.46 | 7.0.47 | 7.0.48 | 7.0.49 | 7.0.50 | 7.0.51 | 7.0.52 | 7.0.53 | 7.0.54 | 7.0.55 | 7.0.56 | 7.0.57 | 7.0.58 | 7.0.59 | 7.0.60 | 7.0.61 | 7.0.62 | 7.0.63 | 7.0.64 | 7.0.65 | 7.0.66 | 7.0.67 | 7.0.68 | 7.0.69 | 7.0.70 | 7.0.71 | 7.0.72 | 7.0.73 | 7.0.74 | 7.0.75 | 7.0.76 | 8.0.0 | 8.0.0:rc1 | 8.0.1 | 8.0.2 | 8.0.3 | 8.0.4 | 8.0.5 | 8.0.6 | 8.0.7 | 8.0.8 | 8.0.9 | 8.0.10 | 8.0.11 | 8.0.12 | 8.0.13 | 8.0.14 | 8.0.15 | 8.0.16 | 8.0.17 | 8.0.18 | 8.0.19 | 8.0.20 | 8.0.21 | 8.0.22 | 8.0.23 | 8.0.24 | 8.0.25 | 8.0.26 | 8.0.27 | 8.0.28 | 8.0.29 | 8.0.30 | 8.0.31 | 8.0.32 | 8.0.33 | 8.0.34 | 8.0.35 | 8.0.36 | 8.0.37 | 8.0.38 | 8.0.39 | 8.0.40 | 8.0.41 | 8.0.42 | 8.5.0 | 8.5.1 | 8.5.2 | 8.5.3 | 8.5.4 | 8.5.5 | 8.5.6 | 8.5.7 | 8.5.8 | 8.5.9 | 8.5.10 | 8.5.11 | 8.5.12 | 9.0.0:milestone1 | 9.0.0:milestone10 | 9.0.0:milestone11 | 9.0.0:milestone12 | 9.0.0:milestone13 | 9.0.0:milestone14 | 9.0.0:milestone15 | 9.0.0:milestone16 | 9.0.0:milestone17 | 9.0.0:milestone18 | 9.0.0:milestone2 | 9.0.0:milestone3 | 9.0.0:milestone4 | 9.0.0:milestone5 | 9.0.0:milestone6 | 9.0.0:milestone7 | 9.0.0:milestone8 | 9.0.0:milestone9
org.apache.tomcat•tomcat
≥ 9.0.0.M1, < 9.0.0.M19 | ≥ 8.5.0, < 8.5.13 | ≥ 8.0.0, < 8.0.43 | ≥ 7.0.0, < 7.0.77 | ≥ 6.0.0, < 6.0.53