java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Metrics

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:H/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Affected Vendors & Products

Vendors Products
Apache
  • Tomcat
Redhat
  • Jboss Enterprise Web Server

Configuration 1 [-]

OR cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat JBoss Enterprise Web Server 2 for RHEL 5
apache-commons-daemon-eap6-1:1.0.15-4.redhat_1.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
apache-commons-daemon-jsvc-eap6-1:1.0.15-1.redhat_1.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
apache-commons-pool-eap6-0:1.6-6.redhat_4.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
dom4j-0:1.6.1-19.redhat_5.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
ecj3-1:3.7.2-6.redhat_1.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
httpd-0:2.2.22-23.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
mod_cluster-0:1.2.4-1.Final_redhat_1.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
mod_cluster-native-0:1.2.4-1.Final.redhat_1.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
mod_jk-0:1.2.37-2.redhat_1.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
tomcat6-0:6.0.37-8_patch_01.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
tomcat7-0:7.0.40-9_patch_01.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
tomcat-native-0:1.1.27-4.redhat_1.ep6.el5 cpe:/a:redhat:jboss_enterprise_web_server:2::el5 RHSA-2013:1011 2013-07-03T00:00:00Z
Red Hat JBoss Enterprise Web Server 2 for RHEL 6
apache-commons-daemon-eap6-1:1.0.15-4.redhat_1.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
apache-commons-daemon-jsvc-eap6-1:1.0.15-1.redhat_1.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
apache-commons-pool-eap6-0:1.6-6.redhat_4.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
dom4j-0:1.6.1-19.redhat_5.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
ecj3-1:3.7.2-6.redhat_1.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
httpd-0:2.2.22-23.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
mod_cluster-0:1.2.4-1.Final_redhat_1.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
mod_cluster-native-0:1.2.4-1.Final.redhat_1.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
mod_jk-0:1.2.37-2.redhat_1.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
tomcat6-0:6.0.37-10_patch_01.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
tomcat7-0:7.0.40-5_patch_01.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
tomcat-native-0:1.1.27-4.redhat_1.ep6.el6 cpe:/a:redhat:jboss_enterprise_web_server:2::el6 RHSA-2013:1012 2013-07-03T00:00:00Z
Red Hat JBoss Web Server 2.0
cpe:/a:redhat:jboss_enterprise_web_server:2.0 RHSA-2013:1013 2013-07-03T00:00:00Z
References
Link Providers
http://archives.neohapsis.com/archives/bugtraq/2013-05/0040.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105855.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/105886.html cve-icon cve-icon
http://lists.fedoraproject.org/pipermail/package-announce/2013-May/106342.html cve-icon cve-icon
http://lists.opensuse.org/opensuse-updates/2013-08/msg00013.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=139344248911289&w=2 cve-icon cve-icon
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/AsyncContextImpl.java?r1=1471372&r2=1471371&pathrev=1471372 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1471372 cve-icon cve-icon
http://tomcat.apache.org/security-7.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html cve-icon cve-icon
http://www.securityfocus.com/bid/59798 cve-icon cve-icon
http://www.securityfocus.com/bid/64758 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-1841-1 cve-icon cve-icon
https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2013-2071 cve-icon
https://www.cve.org/CVERecord?id=CVE-2013-2071 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2013-06-01T10:00:00

Updated: 2024-08-06T15:27:40.654Z

Reserved: 2013-02-19T00:00:00

Link: CVE-2013-2071

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2013-06-01T14:21:05.890

Modified: 2017-05-23T01:29:01.257

Link: CVE-2013-2071

cve-icon Redhat

Severity : Low

Publid Date: 2013-05-10T00:00:00Z

Links: CVE-2013-2071 - Bugzilla