// For flags

CVE-2011-3375

tomcat: information disclosure due to improper response and request object recycling

Severity Score

5.3
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.

Apache Tomcat v6.0.30 a v6.0.33 y v7.x antes de v7.0.22 no realiza correctamente ciertas operaciones de almacenamiento en caché y reciclado de objetos de solicitud, lo cual permite a atacantes remotos obtener acceso de lectura a la dirección IP y a la información de la cabecera HTTP en determinadas circunstancias leyendo datos TCP.

Apache Tomcat versions 7.0.0 through 7.0.21 and 6.0.30 through 6.0.33 suffer from an information disclosure vulnerability. For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2011-08-30 CVE Reserved
  • 2012-01-18 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.30
Search vendor "Apache" for product "Tomcat" and version "6.0.30"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.31
Search vendor "Apache" for product "Tomcat" and version "6.0.31"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.32
Search vendor "Apache" for product "Tomcat" and version "6.0.32"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 6.0.33
Search vendor "Apache" for product "Tomcat" and version "6.0.33"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.0
Search vendor "Apache" for product "Tomcat" and version "7.0.0"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.1
Search vendor "Apache" for product "Tomcat" and version "7.0.1"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.2
Search vendor "Apache" for product "Tomcat" and version "7.0.2"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.3
Search vendor "Apache" for product "Tomcat" and version "7.0.3"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.4
Search vendor "Apache" for product "Tomcat" and version "7.0.4"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.5
Search vendor "Apache" for product "Tomcat" and version "7.0.5"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.6
Search vendor "Apache" for product "Tomcat" and version "7.0.6"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.7
Search vendor "Apache" for product "Tomcat" and version "7.0.7"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.8
Search vendor "Apache" for product "Tomcat" and version "7.0.8"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.9
Search vendor "Apache" for product "Tomcat" and version "7.0.9"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.10
Search vendor "Apache" for product "Tomcat" and version "7.0.10"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.11
Search vendor "Apache" for product "Tomcat" and version "7.0.11"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.12
Search vendor "Apache" for product "Tomcat" and version "7.0.12"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.13
Search vendor "Apache" for product "Tomcat" and version "7.0.13"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.14
Search vendor "Apache" for product "Tomcat" and version "7.0.14"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.15
Search vendor "Apache" for product "Tomcat" and version "7.0.15"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.16
Search vendor "Apache" for product "Tomcat" and version "7.0.16"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.17
Search vendor "Apache" for product "Tomcat" and version "7.0.17"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.18
Search vendor "Apache" for product "Tomcat" and version "7.0.18"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.19
Search vendor "Apache" for product "Tomcat" and version "7.0.19"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.20
Search vendor "Apache" for product "Tomcat" and version "7.0.20"
-
Affected
Apache
Search vendor "Apache"
 Tomcat
Search vendor "Apache" for product "Tomcat"
 7.0.21
Search vendor "Apache" for product "Tomcat" and version "7.0.21"
-
Affected