Strix
26.1K

CVE-2018-8037

UnknownEPSS 12.06%

Last modified

CVE-2018-8037 is a vulnerability of currently unknown severity. If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. EPSS estimates a 12.06% chance of exploitation in the next 30 days.

Description

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Metrics

EPSS Probability
12.06%

95.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
ApacheTomcat>= 8.5.5, <= 8.5.31
ApacheTomcat>= 9.0.1, <= 9.0.9
ApacheTomcat9.0.0
DebianDebian Linux9.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2018-8037?
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
How severe is CVE-2018-8037?
Severity scoring for CVE-2018-8037 is pending analysis. The EPSS model estimates a 12.06% probability of exploitation in the next 30 days.
How do I fix CVE-2018-8037?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2018-8037?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST