N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2013-2071

GHSA ID

GHSA-3p5r-7cw3-2m67

EPSS Score

0.91016%

CWE

CWE-200

Published

5/17/2022

Updated

1/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2013-2071

CVE-2013-2071: Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2013-2071

CVE-2013-2071:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2013-2071

GHSA ID

GHSA-3p5r-7cw3-2m67

EPSS Score

0.91016%

CWE

CWE-200

Published

5/17/2022

Updated

1/27/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.tomcat:tomcat	maven	>= 7.0.0, < 7.0.40	7.0.40

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of RuntimeExceptions in AsyncListener callbacks. The patch modifies four key methods in AsyncContextImpl that process listener events, changing their exception handling from catching specific IOExceptions to general Throwables. These functions would appear in stack traces when processing malicious AsyncListeners that throw RuntimeExceptions, as they were the entry points for listener execution with insufficient error handling prior to the patch. The ExceptionUtils.handleThrowable addition in the patch confirms these were the vulnerable execution paths.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2013-2071: Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

CVE-2013-2071:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

N/A

N/A

Basic Information

Basic Information

Technical Details

CVE-2013-2071: Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI