CVE-2017-5651

CRITICAL

Apache Tomcat <9.0.0.M19-<8.5.13 - Info Disclosure

Title source: llm
STIX 2.1

Description

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

References (15)

Core 15
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97544
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/201705-09
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180614-0001/
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1038219
Issue Tracking, Patch x_refsource_confirm
https://bz.apache.org/bugzilla/show_bug.cgi?id=60918

Scores

CVSS v3 9.8
EPSS 0.0614
EPSS Percentile 90.9%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (18)
apache/tomcat 8.5.0
apache/tomcat 8.5.1
apache/tomcat 8.5.2
apache/tomcat 8.5.3
apache/tomcat 8.5.4
apache/tomcat 8.5.5
apache/tomcat 8.5.6
apache/tomcat 8.5.7
apache/tomcat 8.5.8
apache/tomcat 8.5.9
... and 8 more
Published Apr 17, 2017
Tracked Since Feb 18, 2026