A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.
Find out more about CVE-2016-8745 from the MITRE CVE dictionary dictionary and NIST NVD.
Base Score | 4.3 |
---|---|
Base Metrics | AV:N/AC:M/Au:N/C:P/I:N/A:N |
Access Vector | Network |
Access Complexity | Medium |
Authentication | None |
Confidentiality Impact | Partial |
Integrity Impact | None |
Availability Impact | None |
CVSS3 Base Score | 7.5 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity Impact | None |
Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Platform | Errata | Release Date |
---|---|---|
Red Hat Enterprise Linux 7 (tomcat) | RHSA-2017:0935 | 2017-04-12 |
Red Hat JBoss Web Server 3.1 for RHEL 7 | RHSA-2017:0456 | 2017-03-07 |
Red Hat Enterprise Linux 6 (tomcat6) | RHSA-2017:0527 | 2017-03-15 |
Red Hat JBoss Web Server 3.1 | RHSA-2017:0457 | 2017-03-07 |
Red Hat JBoss Web Server 3.1 for RHEL 6 | RHSA-2017:0455 | 2017-03-07 |
Platform | Package | State |
---|---|---|
Red Hat JBoss Operations Network 3 | jbossweb | Not affected |
Red Hat JBoss Fuse Service Works 6 | jbossweb | Not affected |
Red Hat JBoss Fuse 6 | karaf | Not affected |
Red Hat JBoss EWS 2 | tomcat7 | Will not fix |
Red Hat JBoss EWS 2 | tomcat6 | Will not fix |
Red Hat JBoss EAP 6 | jbossweb | Not affected |
Red Hat JBoss EAP 5 | jbossweb | Not affected |
Red Hat JBoss Data Virtualization 6 | jbossweb | Not affected |
Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
Red Hat JBoss BRMS 5 | jbossweb | Not affected |
Red Hat Enterprise Linux 5 | tomcat5 | Not affected |