A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS message would be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

Affected Packages

Maven org.apache.tomcat.embed:tomcat-embed-core

Affected versions: 11.0.0-M5 (fixed in 11.0.0-M6)

Maven org.apache.tomcat.embed:tomcat-embed-core

Affected versions: 10.1.8 (fixed in 10.1.9)

Maven org.apache.tomcat.embed:tomcat-embed-core

Affected versions: 9.0.74 (fixed in 9.0.75)

Maven org.apache.tomcat:tomcat-coyote

Affected versions: 8.5.88 (fixed in 8.5.89)

Related CVEs

CVE-2023-34981

Key Information

GHSA ID

GHSA-mppv-79ch-vw6q

Published

June 21, 2023 12:30 PM

Last Modified

April 24, 2024 7:44 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.apache.tomcat.embed:tomcat-embed-core

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 27, 2025 6:35 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.