Candidate: CVE-2018-8037
PublicDate: 2018-08-02 14:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037
Description:
 If an async request was completed by the application at the same time as
 the container triggered the async timeout, a race condition existed that
 could result in a user seeing a response intended for a different user. An
 additional issue was present in the NIO and NIO2 connectors that did not
 correctly track the closure of the connection when an async request was
 completed by the application and timed out by the container at the same
 time. This could also result in a user seeing a response intended for
 another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5
 to 8.5.31.
Ubuntu-Description:
Notes:
 debian> Vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series
Bugs:
 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312
 https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1785399
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]


Patches_tomcat8.0:
upstream_tomcat8.0: not-affected
precise/esm_tomcat8.0: DNE
trusty_tomcat8.0: DNE
trusty/esm_tomcat8.0: DNE
xenial_tomcat8.0: DNE
bionic_tomcat8.0: DNE
cosmic_tomcat8.0: DNE
devel_tomcat8.0: DNE

Patches_tomcat8:
 upstream: https://svn.apache.org/r1833907 (8.5.x)
 upstream: https://svn.apache.org/r1833826 (8.5.x)
 upstream: https://svn.apache.org/r1833832 (8.5.x)
 upstream: https://svn.apache.org/r1837531 (8.5.x)
upstream_tomcat8: released (8.5.32-1)
precise/esm_tomcat8: DNE
trusty_tomcat8: DNE
trusty/esm_tomcat8: DNE
xenial_tomcat8: not-affected (code not present)
esm-infra/xenial_tomcat8: not-affected (code not present)
bionic_tomcat8: released (8.5.39-1ubuntu1~18.04.1)
cosmic_tomcat8: not-affected (8.5.32-1ubuntu2)
devel_tomcat8: DNE