A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak..This CVE has a CVSS3.1 score of 7.2 and a Base Severity of HIGH.
| Info | Details |
|---|---|
| CVE ID | CVE-2023-34981 |
| CVE State | PUBLISHED |
| BaseScore | NA |
| BaseSeverity | NA |
| VectorString | NA |
| Version | NA |
References for CVE-2023-34981 :
https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
https://security.netapp.com/advisory/ntap-20230714-0003/
| Metric Type | Metric Score |
|---|---|
| AttackVector(AV) | NA |
| AttackComplexity(AC) | NA |
| PrivilegesRequired(PR) | NA |
| UserInteraction(UI) | NA |
| Scope(S) | NA |
| Confidentiality(C) | NA |
| Availability(A) | NA |
| Integrity(I) | NA |