CVE-2013-2071

Published: Jun 1, 2013Modified: Apr 29, 2026

2.6

Vector

AV:N/AC:H/Au:N/C:P/I:N/A:N

Exploitability: 4.9 / Impact: 2.9

Source: NVD

Description

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Affected (31)

Products: Apache: Tomcat

1 product

Configuration A

31 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.0 beta
Apache Tomcat	Version 7.0.10
Apache Tomcat	Version 7.0.11
Apache Tomcat	Version 7.0.12
Apache Tomcat	Version 7.0.13
Apache Tomcat	Version 7.0.14
Apache Tomcat	Version 7.0.15
Apache Tomcat	Version 7.0.16
Apache Tomcat	Version 7.0.17
Apache Tomcat	Version 7.0.18
Apache Tomcat	Version 7.0.19
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.20
Apache Tomcat	Version 7.0.21
Apache Tomcat	Version 7.0.22
Apache Tomcat	Version 7.0.23
Apache Tomcat	Version 7.0.25
Apache Tomcat	Version 7.0.28
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.2 beta
Apache Tomcat	Version 7.0.30
Apache Tomcat	Version 7.0.32
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.4 beta
Apache Tomcat	Version 7.0.5
Apache Tomcat	Version 7.0.6
Apache Tomcat	Version 7.0.7
Apache Tomcat	Version 7.0.8
Apache Tomcat	Version 7.0.9

Related CWEs

Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

References (28)

http://archives.neohapsis.com/archives/bugtraq/2013-05/0040.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105855.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106342.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2013-08/msg00013.html

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=139344248911289&w=2

Source: secalert@redhat.com

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java?r1=1471372&r2=1471371&pathrev=1471372

Source: secalert@redhat.com

Patch

http://svn.apache.org/viewvc?view=revision&revision=1471372

Source: secalert@redhat.com

Patch

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

Source: secalert@redhat.com

http://www.securityfocus.com/bid/59798

Source: secalert@redhat.com

http://www.securityfocus.com/bid/64758

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-1841-1

Source: secalert@redhat.com

https://issues.apache.org/bugzilla/show_bug.cgi?id=54178

Source: secalert@redhat.com

Exploit

http://archives.neohapsis.com/archives/bugtraq/2013-05/0040.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105855.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106342.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2013-08/msg00013.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://marc.info/?l=bugtraq&m=139344248911289&w=2

Source: af854a3a-2127-422b-91ae-364da2661108

http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java?r1=1471372&r2=1471371&pathrev=1471372

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://svn.apache.org/viewvc?view=revision&revision=1471372

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

http://tomcat.apache.org/security-7.html

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/59798

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.securityfocus.com/bid/64758

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-1841-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://issues.apache.org/bugzilla/show_bug.cgi?id=54178

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

Timeline

No history available yet.