|Description||The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
|References||DLA-728-1, DLA-729-1, DSA-3738-1, DSA-3739-1|
Vulnerable and fixed packages
The table below lists information on source packages.
|tomcat9 (PTS)||buster, buster (security)||9.0.31-1~deb10u6||fixed|
|bullseye (security), bullseye||9.0.43-2~deb11u3||fixed|
The information below is based on the following data on fixed versions.
- tomcat9 <not-affected> (Fixed before initial upload to Debian)
Since 7.0.72-3, src:tomcat7 only builds the Servlet API
Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
Fixed by: http://svn.apache.org/r1767653 (8.0.x)
Fixed by: http://svn.apache.org/r1767675 (7.0.x)
Fixed by: http://svn.apache.org/r1767683 (6.0.x)