CVE-2017-5647

Summary

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Affected Software

VendorProductVersion RangeStatus
Apache Software FoundationApache Tomcat9.0.0.M1 to 9.0.0.M18affected
Apache Software FoundationApache Tomcat8.5.0 to 8.5.12affected
Apache Software FoundationApache Tomcat8.0.0.RC1 to 8.0.42affected
Apache Software FoundationApache Tomcat7.0.0 to 7.0.76affected
Apache Software FoundationApache Tomcat6.0.0 to 6.0.52affected

Weaknesses

  • unspecified

ADP Enrichment

CVE Program Container

Additional References

References