7.5
CVSSv2

CVE-2017-5651

Published: 17/04/2017 Updated: 08/12/2023
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 668
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 8.5.2

apache tomcat 8.5.9

apache tomcat 8.5.4

apache tomcat 8.5.0

apache tomcat 8.5.10

apache tomcat 8.5.5

apache tomcat 8.5.3

apache tomcat 8.5.6

apache tomcat 8.5.7

apache tomcat 8.5.8

apache tomcat 8.5.12

apache tomcat 8.5.11

apache tomcat 8.5.1

apache tomcat 9.0.0

Vendor Advisories

Debian Bug report logs - #860069 tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651 Package: src:tomcat8; Maintainer for src:tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 11 Apr 2017 04:48:01 UTC Owne ...
Debian Bug report logs - #860068 tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651 Package: src:tomcat8; Maintainer for src:tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 11 Apr 2017 04:45:02 UTC Owne ...
Debian Bug report logs - #860070 tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651 Package: src:tomcat8; Maintainer for src:tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 11 Apr 2017 04:48:04 UTC Owne ...
Debian Bug report logs - #860071 tomcat8: CVE-2017-5647, CVE-2017-5648, CVE-2017-5650, CVE-2017-5651 Package: src:tomcat8; Maintainer for src:tomcat8 is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 11 Apr 2017 04:51:02 UTC Owne ...
In Apache Tomcat 900M1 to 900M18 and 850 to 8512, the refactoring of the HTTP connectors introduced a regression in the send file processing If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice This could result in the same Processor being used for multiple requests wh ...

References

NVD-CWE-noinfohttps://bz.apache.org/bugzilla/show_bug.cgi?id=60918http://www.securityfocus.com/bid/97544https://security.gentoo.org/glsa/201705-09http://www.securitytracker.com/id/1038219http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttps://security.netapp.com/advisory/ntap-20180614-0001/https://lists.apache.org/thread.html/6694538826b87522fb723d2dcedd537e14ebe0a381d92e5525a531d8%40%3Cannounce.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3Ehttps://nvd.nist.govhttps://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860069https://access.redhat.com/security/cve/cve-2017-5651