Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1xcmo0LXJtcWctNGhjcM2skg

Apache Tomcat Does Not Properly Handle Empty Requests

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

Permalink: https://github.com/advisories/GHSA-qrj4-rmqg-4hcp
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1xcmo0LXJtcWctNGhjcM2skg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 7 months ago

Identifiers: GHSA-qrj4-rmqg-4hcp, CVE-2007-6286
References:

• https://nvd.nist.gov/vuln/detail/CVE-2007-6286
• https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
• https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
• https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html
• https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html
• http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html
• http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
• http://marc.info/?l=bugtraq&m=139344343412337&w=2
• http://support.apple.com/kb/HT3216
• http://tomcat.apache.org/security-5.html
• http://tomcat.apache.org/security-6.html
• https://github.com/advisories/GHSA-qrj4-rmqg-4hcp

Blast Radius: 0.0

Affected Packages