CVE-2016-8747 Apache Tomcat Information Disclosure Severity: Moderate
Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M11 to 9.0.0.M15 Apache Tomcat 8.5.7 to 8.5.9 Description The refactoring to make wider use of ByteBuffer introduced a regression that could cause information to leak between requests on the same connection. When running behind a reverse proxy, this could result in information leakage between users. All HTTP connector variants are affected but HTTP/2 and AJP are not affected. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M17 or later (Apache Tomcat 9.0.0.M16 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.11 or later (Apache Tomcat 8.5.10 has the fix but was not released) Earlier versions are not affected Credit: This issue was identified by the Tomcat security team. History: 2017-03-13 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
