Race Condition Affecting tomcat-jsp-2_3-api package, versions <9.0.10-3.7.1
Snyk CVSS
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-SLES150-TOMCATJSP23API-2760285
- published 14 Apr 2022
- disclosed 28 Nov 2018
Introduced: 28 Nov 2018
CVE-2018-8037 Open this link in a new tabHow to fix?
Upgrade SLES:15.0
tomcat-jsp-2_3-api
to version 9.0.10-3.7.1 or higher.
NVD Description
Note: Versions mentioned in the description apply only to the upstream tomcat-jsp-2_3-api
package and not the tomcat-jsp-2_3-api
package as distributed by SLES:15.0
.
See How to fix?
for SLES:15.0
relevant fixed versions and status.
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
References
- CVE-2018-8037
- E-Mail link for SUSE-SU-2018:3011-1
- Link for SUSE-SU-2018:3011-1
- SUSE Bug 1003579
- SUSE Bug 1067720
- SUSE Bug 1093697
- SUSE Bug 1102379
- SUSE Bug 1102400
- SUSE Bug 1102410
- SUSE CVE CVE-2018-1336 page
- SUSE CVE CVE-2018-8014 page
- SUSE CVE CVE-2018-8034 page
- SUSE CVE CVE-2018-8037 page
- SUSE Security Ratings
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org
- security@apache.org