CVE-2018-8037

MEDIUM

Apache Tomcat 8.5.5-8.5.31 and 9.0.0.M9-9.0.9 - Information Disclosure via Race Condition

Title source: llm
STIX 2.1

Description

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

References (26)

Core 26
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id/1041376
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/104894
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4281
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180817-0001/
Patch, Third Party Advisory x_refsource_confirm
http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2867
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2868
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:1529

Scores

CVSS v3 5.9
EPSS 0.0845
EPSS Percentile 92.5%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-362
Status published
Products (4)
apache/tomcat 9.0.0 (20 CPE variants)
apache/tomcat 8.5.5 - 8.5.31
debian/debian_linux 9.0
org.apache.tomcat.embed/tomcat-embed-core 9.0.0.M9 - 9.0.10Maven
Published Aug 02, 2018
Tracked Since Feb 18, 2026