Miggo Logo
Miggo Vulnerability Database
CVE-2023-34981

CVE-2023-34981:
Apache Tomcat vulnerable to information leak

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-34981
GHSA ID
GHSA-mppv-79ch-vw6q
EPSS Score
0.45964%
CWE
CWE-732
Published
6/21/2023
Updated
10/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat.embed:tomcat-embed-coremaven= 11.0.0-M511.0.0-M6
org.apache.tomcat.embed:tomcat-embed-coremaven= 10.1.810.1.9
org.apache.tomcat.embed:tomcat-embed-coremaven= 9.0.749.0.75
org.apache.tomcat:tomcat-coyotemaven= 8.5.888.5.89

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how headers were processed in AjpProcessor.prepareResponse(). The pre-patch code used a single-pass for-loop that: 1) Only generated SEND_HEADERS during the first iteration 2) Could exit without sending headers if all were removed via error handling 3) Didn't account for zero-header responses. The commit introduced retry logic (while-loop with header regeneration) to ensure at least one SEND_HEADERS is always sent, confirming the original function's flawed control flow was the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* r**r*ssion in t** *ix *or *u* ***** in *p**** Tom**t **.*.*-M*, **.*.*, *.*.** *n* *.*.** m**nt t**t, i* * r*spons* *i* not in*lu** *ny *TTP *****rs no *JP S*N*_*****RS m*ss*** woul* ** s*nt *or t** r*spons* w*i** in turn m**nt t**t *t l**st on* *J

Reasoning

T** vuln*r**ility st*ms *rom *ow *****rs w*r* pro**ss** in *jpPro**ssor.pr*p*r*R*spons*(). T** pr*-p*t** *o** us** * sin*l*-p*ss *or-loop t**t: *) Only **n*r*t** S*N*_*****RS *urin* t** *irst it*r*tion *) *oul* *xit wit*out s*n*in* *****rs i* *ll w*r