Description
CVE-2017-5651 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.4.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: fitbit-api-example-java2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.4/tomcat-embed-core-8.5.4.jar
Dependency Hierarchy:
- spring-boot-starter-web-1.4.0.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-1.4.0.RELEASE.jar
- ❌ tomcat-embed-core-8.5.4.jar (Vulnerable Library)
- spring-boot-starter-tomcat-1.4.0.RELEASE.jar
Found in HEAD commit: 8c153ad064e8f07a4ddade35ac13a9b485ca3dac
Found in base branch: master
Vulnerability Details
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.
Publish Date: 2017-04-17
URL: CVE-2017-5651
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5651
Release Date: 2017-04-17
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M19,8.5.13,org.apache.tomcat:tomcat-coyote:9.0.0.M19,8.5.13
Step up your Open Source Security Game with WhiteSource here