#VU85619 Information disclosure in Apache Tomcat


Published: 2024-01-19

Vulnerability identifier: #VU85619

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-21733

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application when processing incomplete HTTP POST requests. A remote attacker can send a specially crafted HTTP POST request to the server and obtain data from a previous request from another user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Tomcat: 8.5.0 - 8.5.63, 9.0.0 - 9.0.43

External links
http://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
http://www.openwall.com/lists/oss-security/2024/01/19/2

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Rational Build Forge
Multiple vulnerabilities in IBM DevOps
Multiple vulnerabilities in IBM UrbanCode Release
Multiple vulnerabilities in IBM Storage Copy Data Management
openEuler update for tomcat
Multiple vulnerabilities in IBM Engineering Requirements Management DOORS/DWA
Multiple vulnerabilities in IBM Storage Virtualize
Information disclosure in Apache Tomcat