CVE-2018-8037
Description
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
Risk Information
Base Score
5.9
MODERATE
Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
6.632
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerability CVE-2018-8034,CVE-2018-8037,CVE-2020-8022 are affected in Tomcat 9.0.9 | Windows |
| Vulnerabilities CVE-2018-8037,CVE-2018-8034,CVE-2018-8014 are fixed in Apache - tomcat-embed-core 8.5.32 | Windows |
| Vulnerabilities CVE-2018-8037,CVE-2018-8034 are fixed in Apache - tomcat-embed-core 9.0.10 | Windows |
| tomcat8 security update(DSA-3974-1) tomcat8_8.5.14-1+deb9u3_all.deb | Linux |
| tomcat8 security update(DSA-4281-1) tomcat8_8.5.14-1+deb9u3_all.deb | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-admin-webapps-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-docs-webapp-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-el-3_0-api-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-javadoc-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-jsp-2_3-api-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-lib-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-servlet-3_1-api-8.0.53-29.13.1.noarch.rpm | Linux |
| SUSE-SU-2018:2699-1(SUSE Linux Enterprise Server 12-SP3 ) tomcat-webapps-8.0.53-29.13.1.noarch.rpm | Linux |
| (RHSA-2019:1529) pki-deps:10.6 security update pki-servlet-container-9.0.7-14.module+el8.0.0+3248+9d514f3b.noarch.rpm | Linux |
| Python-nss-doc update (ELSA-2019-1529) python-nss-doc-1.0.1-10.module+el8.0.0+5231+3e842911.x86_64.rpm | Linux |
| Python3-nss update (ELSA-2019-1529) python3-nss-1.0.1-10.module+el8.0.0+5231+3e842911.x86_64.rpm | Linux |
| Apache-commons-collections update (ELSA-2019-1529) apache-commons-collections-3.2.2-10.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Apache-commons-lang update (ELSA-2019-1529) apache-commons-lang-2.6-21.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Bea-stax-api update (ELSA-2019-1529) bea-stax-api-1.2.0-16.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-fastinfoset update (ELSA-2019-1529) glassfish-fastinfoset-1.2.13-9.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-api update (ELSA-2019-1529) glassfish-jaxb-api-2.2.12-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-core update (ELSA-2019-1529) glassfish-jaxb-core-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-runtime update (ELSA-2019-1529) glassfish-jaxb-runtime-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Glassfish-jaxb-txw2 update (ELSA-2019-1529) glassfish-jaxb-txw2-2.2.11-11.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-annotations update (ELSA-2019-1529) jackson-annotations-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-core update (ELSA-2019-1529) jackson-core-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-databind update (ELSA-2019-1529) jackson-databind-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-jaxrs-json-provider update (ELSA-2019-1529) jackson-jaxrs-json-provider-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-jaxrs-providers update (ELSA-2019-1529) jackson-jaxrs-providers-2.9.8-1.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jackson-module-jaxb-annotations update (ELSA-2019-1529) jackson-module-jaxb-annotations-2.7.6-4.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Jakarta-commons-httpclient update (ELSA-2019-1529) jakarta-commons-httpclient-3.1-28.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Javassist update (ELSA-2019-1529) javassist-3.18.1-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Javassist-javadoc update (ELSA-2019-1529) javassist-javadoc-3.18.1-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Pki-servlet-4.0-api update (ELSA-2019-1529) pki-servlet-4.0-api-9.0.7-14.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Pki-servlet-container update (ELSA-2019-1529) pki-servlet-container-9.0.7-14.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| RelaxngDatatype update (ELSA-2019-1529) relaxngDatatype-2011.1-7.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Resteasy update (ELSA-2019-1529) resteasy-3.0.26-3.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Slf4j update (ELSA-2019-1529) slf4j-1.7.25-4.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Slf4j-jdk14 update (ELSA-2019-1529) slf4j-jdk14-1.7.25-4.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Stax-ex update (ELSA-2019-1529) stax-ex-1.7.7-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Velocity update (ELSA-2019-1529) velocity-1.7-24.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xalan-j2 update (ELSA-2019-1529) xalan-j2-2.7.1-38.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xerces-j2 update (ELSA-2019-1529) xerces-j2-2.11.0-34.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xml-commons-apis update (ELSA-2019-1529) xml-commons-apis-1.4.01-25.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xml-commons-resolver update (ELSA-2019-1529) xml-commons-resolver-1.2-26.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xmlstreambuffer update (ELSA-2019-1529) xmlstreambuffer-1.5.4-8.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Xsom update (ELSA-2019-1529) xsom-0-19.20110809svn.module+el8.0.0+5231+3e842911.noarch.rpm | Linux |
| Vulnerability CVE-2018-8034,CVE-2018-8037,CVE-2020-8022 are affected in Tomcat 9.0.9 (For Linux) | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) slf4j-1.7.25-4.module+el8.5.0+697+f586bb30.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) velocity-1.7-24.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) xalan-j2-2.7.1-38.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) javassist-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) xerces-j2-2.11.0-34.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) javassist-javadoc-3.18.1-8.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) apache-commons-lang-2.6-21.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) xml-commons-resolver-1.2-26.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) apache-commons-collections-3.2.2-10.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| pki-deps:10.6 security update (RLSA-2019:1529) jakarta-commons-httpclient-3.1-28.module+el8.3.0+53+ea062990.noarch.rpm | Linux |
| Apache-commons-collections update (ELSA-2024-3061) apache-commons-collections-3.2.2-10.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Apache-commons-lang update (ELSA-2024-3061) apache-commons-lang-2.6-21.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Apache-commons-net update (ELSA-2024-3061) apache-commons-net-3.6-3.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Bea-stax-api update (ELSA-2024-3061) bea-stax-api-1.2.0-16.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Fasterxml-oss-parent update (ELSA-2024-3061) fasterxml-oss-parent-49-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-fastinfoset update (ELSA-2024-3061) glassfish-fastinfoset-1.2.13-9.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-api update (ELSA-2024-3061) glassfish-jaxb-api-2.2.12-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-core update (ELSA-2024-3061) glassfish-jaxb-core-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-runtime update (ELSA-2024-3061) glassfish-jaxb-runtime-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Glassfish-jaxb-txw2 update (ELSA-2024-3061) glassfish-jaxb-txw2-2.2.11-12.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Idm-jss update (ELSA-2024-3061) idm-jss-4.11.0-1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-jss-javadoc update (ELSA-2024-3061) idm-jss-javadoc-4.11.0-1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-ldapjdk update (ELSA-2024-3061) idm-ldapjdk-4.24.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-ldapjdk-javadoc update (ELSA-2024-3061) idm-ldapjdk-javadoc-4.24.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-acme update (ELSA-2024-3061) idm-pki-acme-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-base update (ELSA-2024-3061) idm-pki-base-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-base-java update (ELSA-2024-3061) idm-pki-base-java-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-ca update (ELSA-2024-3061) idm-pki-ca-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-kra update (ELSA-2024-3061) idm-pki-kra-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-server update (ELSA-2024-3061) idm-pki-server-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Idm-pki-symkey update (ELSA-2024-3061) idm-pki-symkey-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-pki-tools update (ELSA-2024-3061) idm-pki-tools-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.x86_64.rpm | Linux |
| Idm-tomcatjss update (ELSA-2024-3061) idm-tomcatjss-7.8.0-1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Jackson-annotations update (ELSA-2024-3061) jackson-annotations-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-bom update (ELSA-2024-3061) jackson-bom-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-core update (ELSA-2024-3061) jackson-core-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-databind update (ELSA-2024-3061) jackson-databind-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-jaxrs-json-provider update (ELSA-2024-3061) jackson-jaxrs-json-provider-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-jaxrs-providers update (ELSA-2024-3061) jackson-jaxrs-providers-2.14.2-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-module-jaxb-annotations update (ELSA-2024-3061) jackson-module-jaxb-annotations-2.14.2-2.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-modules-base update (ELSA-2024-3061) jackson-modules-base-2.14.2-2.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jackson-parent update (ELSA-2024-3061) jackson-parent-2.14-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Jakarta-commons-httpclient update (ELSA-2024-3061) jakarta-commons-httpclient-3.1-28.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Javassist update (ELSA-2024-3061) javassist-3.18.1-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Javassist-javadoc update (ELSA-2024-3061) javassist-javadoc-3.18.1-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Pki-servlet-engine update (ELSA-2024-3061) pki-servlet-engine-9.0.62-1.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Python3-idm-pki update (ELSA-2024-3061) python3-idm-pki-10.15.0-1.0.1.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| RelaxngDatatype update (ELSA-2024-3061) relaxngDatatype-2011.1-7.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Resteasy update (ELSA-2024-3061) resteasy-3.0.26-7.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Resteasy-javadoc update (ELSA-2024-3061) resteasy-javadoc-3.0.26-7.module+el8.10.0+90282+4ef18d4b.noarch.rpm | Linux |
| Slf4j update (ELSA-2024-3061) slf4j-1.7.25-4.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Slf4j-jdk14 update (ELSA-2024-3061) slf4j-jdk14-1.7.25-4.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Stax-ex update (ELSA-2024-3061) stax-ex-1.7.7-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Velocity update (ELSA-2024-3061) velocity-1.7-24.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xalan-j2 update (ELSA-2024-3061) xalan-j2-2.7.1-38.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xerces-j2 update (ELSA-2024-3061) xerces-j2-2.11.0-34.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xml-commons-apis update (ELSA-2024-3061) xml-commons-apis-1.4.01-25.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xml-commons-resolver update (ELSA-2024-3061) xml-commons-resolver-1.2-26.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xmlstreambuffer update (ELSA-2024-3061) xmlstreambuffer-1.5.4-8.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Xsom update (ELSA-2024-3061) xsom-0-19.20110809svn.module+el8.10.0+90302+23fbc0c1.noarch.rpm | Linux |
| Vulnerabilities CVE-2018-8037,CVE-2018-8034,CVE-2018-8014 are fixed in Apache - tomcat-embed-core for Linux 8.5.32 | Linux |
| Vulnerabilities CVE-2018-8037,CVE-2018-8034 are fixed in Apache - tomcat-embed-core for Linux 9.0.10 | Linux |
| Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) Vulnerability (CVE-2018-8037) | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234