CVE-2007-6286 – org.apache.tomcat:tomcat

Package

Manager: maven
Name: org.apache.tomcat:tomcat
Vulnerable Version: >=5.5.11 <=5.5.25 || >=6.0.0 <=6.0.15

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.1187 pctl0.9349

Details

Apache Tomcat Does Not Properly Handle Empty Requests Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

Metadata

Created: 2022-05-01T18:41:17Z
Modified: 2023-09-22T21:07:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qrj4-rmqg-4hcp/GHSA-qrj4-rmqg-4hcp.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-qrj4-rmqg-4hcp
Finding: F308
Auto approve: 1