CVE-2017-5647

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
apacheCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
apachetomcat
6.0.0
apachetomcat
6.0.1
apachetomcat
6.0.2
apachetomcat
6.0.3
apachetomcat
6.0.4
apachetomcat
6.0.5
apachetomcat
6.0.6
apachetomcat
6.0.7
apachetomcat
6.0.8
apachetomcat
6.0.9
apachetomcat
6.0.10
apachetomcat
6.0.11
apachetomcat
6.0.12
apachetomcat
6.0.13
apachetomcat
6.0.14
apachetomcat
6.0.15
apachetomcat
6.0.16
apachetomcat
6.0.17
apachetomcat
6.0.18
apachetomcat
6.0.19
apachetomcat
6.0.20
apachetomcat
6.0.21
apachetomcat
6.0.22
apachetomcat
6.0.23
apachetomcat
6.0.24
apachetomcat
6.0.25
apachetomcat
6.0.26
apachetomcat
6.0.27
apachetomcat
6.0.28
apachetomcat
6.0.29
apachetomcat
6.0.30
apachetomcat
6.0.31
apachetomcat
6.0.32
apachetomcat
6.0.33
apachetomcat
6.0.34
apachetomcat
6.0.35
apachetomcat
6.0.36
apachetomcat
6.0.37
apachetomcat
6.0.38
apachetomcat
6.0.39
apachetomcat
6.0.40
apachetomcat
6.0.41
apachetomcat
6.0.42
apachetomcat
6.0.43
apachetomcat
6.0.44
apachetomcat
6.0.45
apachetomcat
6.0.46
apachetomcat
6.0.47
apachetomcat
6.0.48
apachetomcat
6.0.49
apachetomcat
6.0.50
apachetomcat
6.0.51
apachetomcat
6.0.52
apachetomcat
7.0.0
apachetomcat
7.0.1
apachetomcat
7.0.2
apachetomcat
7.0.3
apachetomcat
7.0.4
apachetomcat
7.0.5
apachetomcat
7.0.6
apachetomcat
7.0.7
apachetomcat
7.0.8
apachetomcat
7.0.9
apachetomcat
7.0.10
apachetomcat
7.0.11
apachetomcat
7.0.12
apachetomcat
7.0.13
apachetomcat
7.0.14
apachetomcat
7.0.15
apachetomcat
7.0.16
apachetomcat
7.0.17
apachetomcat
7.0.18
apachetomcat
7.0.19
apachetomcat
7.0.20
apachetomcat
7.0.21
apachetomcat
7.0.22
apachetomcat
7.0.23
apachetomcat
7.0.24
apachetomcat
7.0.25
apachetomcat
7.0.26
apachetomcat
7.0.27
apachetomcat
7.0.28
apachetomcat
7.0.29
apachetomcat
7.0.30
apachetomcat
7.0.31
apachetomcat
7.0.32
apachetomcat
7.0.33
apachetomcat
7.0.34
apachetomcat
7.0.35
apachetomcat
7.0.36
apachetomcat
7.0.37
apachetomcat
7.0.38
apachetomcat
7.0.39
apachetomcat
7.0.40
apachetomcat
7.0.41
apachetomcat
7.0.42
apachetomcat
7.0.43
apachetomcat
7.0.44
apachetomcat
7.0.45
apachetomcat
7.0.46
apachetomcat
7.0.47
apachetomcat
7.0.48
apachetomcat
7.0.49
apachetomcat
7.0.50
apachetomcat
7.0.51
apachetomcat
7.0.52
apachetomcat
7.0.53
apachetomcat
7.0.54
apachetomcat
7.0.55
apachetomcat
7.0.56
apachetomcat
7.0.57
apachetomcat
7.0.58
apachetomcat
7.0.59
apachetomcat
7.0.60
apachetomcat
7.0.61
apachetomcat
7.0.62
apachetomcat
7.0.63
apachetomcat
7.0.64
apachetomcat
7.0.65
apachetomcat
7.0.66
apachetomcat
7.0.67
apachetomcat
7.0.68
apachetomcat
7.0.69
apachetomcat
7.0.70
apachetomcat
7.0.71
apachetomcat
7.0.72
apachetomcat
7.0.73
apachetomcat
7.0.74
apachetomcat
7.0.75
apachetomcat
7.0.76
apachetomcat
8.0.0
apachetomcat
8.0.0:rc1
apachetomcat
8.0.1
apachetomcat
8.0.2
apachetomcat
8.0.3
apachetomcat
8.0.4
apachetomcat
8.0.5
apachetomcat
8.0.6
apachetomcat
8.0.7
apachetomcat
8.0.8
apachetomcat
8.0.9
apachetomcat
8.0.10
apachetomcat
8.0.11
apachetomcat
8.0.12
apachetomcat
8.0.13
apachetomcat
8.0.14
apachetomcat
8.0.15
apachetomcat
8.0.16
apachetomcat
8.0.17
apachetomcat
8.0.18
apachetomcat
8.0.19
apachetomcat
8.0.20
apachetomcat
8.0.21
apachetomcat
8.0.22
apachetomcat
8.0.23
apachetomcat
8.0.24
apachetomcat
8.0.25
apachetomcat
8.0.26
apachetomcat
8.0.27
apachetomcat
8.0.28
apachetomcat
8.0.29
apachetomcat
8.0.30
apachetomcat
8.0.31
apachetomcat
8.0.32
apachetomcat
8.0.33
apachetomcat
8.0.34
apachetomcat
8.0.35
apachetomcat
8.0.36
apachetomcat
8.0.37
apachetomcat
8.0.38
apachetomcat
8.0.39
apachetomcat
8.0.40
apachetomcat
8.0.41
apachetomcat
8.0.42
apachetomcat
8.5.0
apachetomcat
8.5.1
apachetomcat
8.5.2
apachetomcat
8.5.3
apachetomcat
8.5.4
apachetomcat
8.5.5
apachetomcat
8.5.6
apachetomcat
8.5.7
apachetomcat
8.5.8
apachetomcat
8.5.9
apachetomcat
8.5.10
apachetomcat
8.5.11
apachetomcat
8.5.12
apachetomcat
9.0.0:milestone1
apachetomcat
9.0.0:milestone10
apachetomcat
9.0.0:milestone11
apachetomcat
9.0.0:milestone12
apachetomcat
9.0.0:milestone13
apachetomcat
9.0.0:milestone14
apachetomcat
9.0.0:milestone15
apachetomcat
9.0.0:milestone16
apachetomcat
9.0.0:milestone17
apachetomcat
9.0.0:milestone18
apachetomcat
9.0.0:milestone2
apachetomcat
9.0.0:milestone3
apachetomcat
9.0.0:milestone4
apachetomcat
9.0.0:milestone5
apachetomcat
9.0.0:milestone6
apachetomcat
9.0.0:milestone7
apachetomcat
9.0.0:milestone8
apachetomcat
9.0.0:milestone9
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
tomcat9
bullseye (security)
9.0.43-2~deb11u10
fixed
bullseye
9.0.43-2~deb11u10
fixed
bookworm
9.0.70-2
fixed
sid
9.0.95-1
fixed
trixie
9.0.95-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
tomcat6
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
disco
dne
cosmic
dne
bionic
dne
artful
dne
zesty
dne
yakkety
dne
xenial
not-affected
trusty
needed
precise
ignored
tomcat7
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
disco
dne
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
not-affected
yakkety
ignored
xenial
needed
trusty
Fixed 7.0.52-1ubuntu0.13
released
precise
ignored
tomcat8
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
eoan
dne
disco
dne
cosmic
not-affected
bionic
not-affected
artful
not-affected
zesty
Fixed 8.0.38-2ubuntu2.2
released
yakkety
ignored
xenial
Fixed 8.0.32-1ubuntu1.5
released
trusty
dne
precise
dne
Common Weakness Enumeration
References
http://www.arubanetworks.com/assets/alert/HPESBHF03730.txt
http://www.debian.org/security/2017/dsa-3842
http://www.debian.org/security/2017/dsa-3843
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.securitytracker.com/id/1038218
https://access.redhat.com/errata/RHSA-2017:1801
https://access.redhat.com/errata/RHSA-2017:1802
https://access.redhat.com/errata/RHSA-2017:2493
https://access.redhat.com/errata/RHSA-2017:2494
https://access.redhat.com/errata/RHSA-2017:3080
https://access.redhat.com/errata/RHSA-2017:3081
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03730en_us
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5796678c5a773c6f3ff57c178ac247d85ceca0dee9190ba48171451a%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://security.gentoo.org/glsa/201705-09
https://security.netapp.com/advisory/ntap-20180614-0001/
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
http://www.arubanetworks.com/assets/alert/HPESBHF03730.txt
http://www.debian.org/security/2017/dsa-3842
http://www.debian.org/security/2017/dsa-3843
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
http://www.securitytracker.com/id/1038218
https://access.redhat.com/errata/RHSA-2017:1801
https://access.redhat.com/errata/RHSA-2017:1802
https://access.redhat.com/errata/RHSA-2017:2493
https://access.redhat.com/errata/RHSA-2017:2494
https://access.redhat.com/errata/RHSA-2017:3080
https://access.redhat.com/errata/RHSA-2017:3081
https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03730en_us
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5796678c5a773c6f3ff57c178ac247d85ceca0dee9190ba48171451a%40%3Cusers.tomcat.apache.org%3E
https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://security.gentoo.org/glsa/201705-09
https://security.netapp.com/advisory/ntap-20180614-0001/
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html