7.5

CVE-2016-8745

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version7.0.0
ApacheTomcat Version7.0.1
ApacheTomcat Version7.0.2
ApacheTomcat Version7.0.3
ApacheTomcat Version7.0.4
ApacheTomcat Version7.0.5
ApacheTomcat Version7.0.6
ApacheTomcat Version7.0.7
ApacheTomcat Version7.0.8
ApacheTomcat Version7.0.9
ApacheTomcat Version7.0.11
ApacheTomcat Version7.0.12
ApacheTomcat Version7.0.13
ApacheTomcat Version7.0.14
ApacheTomcat Version7.0.15
ApacheTomcat Version7.0.16
ApacheTomcat Version7.0.17
ApacheTomcat Version7.0.18
ApacheTomcat Version7.0.19
ApacheTomcat Version7.0.20
ApacheTomcat Version7.0.21
ApacheTomcat Version7.0.22
ApacheTomcat Version7.0.23
ApacheTomcat Version7.0.24
ApacheTomcat Version7.0.25
ApacheTomcat Version7.0.26
ApacheTomcat Version7.0.27
ApacheTomcat Version7.0.28
ApacheTomcat Version7.0.29
ApacheTomcat Version7.0.30
ApacheTomcat Version7.0.31
ApacheTomcat Version7.0.32
ApacheTomcat Version7.0.33
ApacheTomcat Version7.0.34
ApacheTomcat Version7.0.35
ApacheTomcat Version7.0.36
ApacheTomcat Version7.0.37
ApacheTomcat Version7.0.38
ApacheTomcat Version7.0.39
ApacheTomcat Version7.0.40
ApacheTomcat Version7.0.41
ApacheTomcat Version7.0.42
ApacheTomcat Version7.0.43
ApacheTomcat Version7.0.44
ApacheTomcat Version7.0.45
ApacheTomcat Version7.0.46
ApacheTomcat Version7.0.47
ApacheTomcat Version7.0.48
ApacheTomcat Version7.0.49
ApacheTomcat Version7.0.50
ApacheTomcat Version7.0.52
ApacheTomcat Version7.0.53
ApacheTomcat Version7.0.54
ApacheTomcat Version7.0.55
ApacheTomcat Version7.0.56
ApacheTomcat Version7.0.57
ApacheTomcat Version7.0.58
ApacheTomcat Version7.0.59
ApacheTomcat Version7.0.60
ApacheTomcat Version7.0.61
ApacheTomcat Version7.0.62
ApacheTomcat Version7.0.63
ApacheTomcat Version7.0.64
ApacheTomcat Version7.0.65
ApacheTomcat Version7.0.66
ApacheTomcat Version7.0.67
ApacheTomcat Version7.0.68
ApacheTomcat Version7.0.69
ApacheTomcat Version7.0.70
ApacheTomcat Version7.0.71
ApacheTomcat Version7.0.72
ApacheTomcat Version7.0.73
ApacheTomcat Version8.0
ApacheTomcat Version8.0.0 Updaterc1
ApacheTomcat Version8.0.0 Updaterc10
ApacheTomcat Version8.0.0 Updaterc3
ApacheTomcat Version8.0.0 Updaterc5
ApacheTomcat Version8.0.1
ApacheTomcat Version8.0.2
ApacheTomcat Version8.0.3
ApacheTomcat Version8.0.4
ApacheTomcat Version8.0.5
ApacheTomcat Version8.0.6
ApacheTomcat Version8.0.7
ApacheTomcat Version8.0.8
ApacheTomcat Version8.0.9
ApacheTomcat Version8.0.10
ApacheTomcat Version8.0.11
ApacheTomcat Version8.0.12
ApacheTomcat Version8.0.13
ApacheTomcat Version8.0.14
ApacheTomcat Version8.0.15
ApacheTomcat Version8.0.16
ApacheTomcat Version8.0.17
ApacheTomcat Version8.0.18
ApacheTomcat Version8.0.19
ApacheTomcat Version8.0.20
ApacheTomcat Version8.0.21
ApacheTomcat Version8.0.22
ApacheTomcat Version8.0.23
ApacheTomcat Version8.0.24
ApacheTomcat Version8.0.25
ApacheTomcat Version8.0.26
ApacheTomcat Version8.0.27
ApacheTomcat Version8.0.28
ApacheTomcat Version8.0.29
ApacheTomcat Version8.0.30
ApacheTomcat Version8.0.31
ApacheTomcat Version8.0.32
ApacheTomcat Version8.0.33
ApacheTomcat Version8.0.34
ApacheTomcat Version8.0.35
ApacheTomcat Version8.0.36
ApacheTomcat Version8.0.37
ApacheTomcat Version8.0.38
ApacheTomcat Version8.0.39
ApacheTomcat Version8.5.0
ApacheTomcat Version8.5.1
ApacheTomcat Version8.5.2
ApacheTomcat Version8.5.3
ApacheTomcat Version8.5.4
ApacheTomcat Version8.5.5
ApacheTomcat Version8.5.6
ApacheTomcat Version8.5.7
ApacheTomcat Version8.5.8
ApacheTomcat Version9.0.0 Updatemilestone1
ApacheTomcat Version9.0.0 Updatemilestone10
ApacheTomcat Version9.0.0 Updatemilestone11
ApacheTomcat Version9.0.0 Updatemilestone12
ApacheTomcat Version9.0.0 Updatemilestone13
ApacheTomcat Version9.0.0 Updatemilestone2
ApacheTomcat Version9.0.0 Updatemilestone3
ApacheTomcat Version9.0.0 Updatemilestone4
ApacheTomcat Version9.0.0 Updatemilestone5
ApacheTomcat Version9.0.0 Updatemilestone6
ApacheTomcat Version9.0.0 Updatemilestone7
ApacheTomcat Version9.0.0 Updatemilestone8
ApacheTomcat Version9.0.0 Updatemilestone9
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 17.1% 0.947
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 7.5 3.9 3.6
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:P/I:N/A:N
https://security.gentoo.org/glsa/201705-09
Third Party Advisory
VDB Entry
http://www.securityfocus.com/bid/94828
Third Party Advisory
VDB Entry
http://www.securitytracker.com/id/1037432
Third Party Advisory
VDB Entry