CVE-2013-2071 Request mix-up if AsyncListener method throws
RuntimeException
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.39
Description:
Bug 54178 described a scenario where elements of a previous request may
be exposed to a current request. This was very difficult to exploit
deliberately but fairly likely to happen unexpectedly if an application
used AsyncListeners that threw RuntimeExceptions. The issue was fixed by
catching the RuntimeExceptions.
Mitigation:
Users of affected versions should apply the following mitigation:
- - Tomcat 7.0.x users should upgrade to 7.0.40 or later
Credit:
The security implications of this issue were identified by the Apache
Tomcat Security Team.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=54178