Search for vulnerabilities
Vulnerability details: VCID-aszd-s78t-kqa5
Vulnerability ID VCID-aszd-s78t-kqa5
Aliases CVE-2023-34981
GHSA-mppv-79ch-vw6q
Summary Apache Tomcat vulnerable to information leak A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS message would be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34981.json
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
epss 0.00231 https://api.first.org/data/v1/epss?cve=CVE-2023-34981
cvssv3.1 7.5 https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
generic_textual HIGH https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
cvssv3.1 7.5 https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
generic_textual HIGH https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
apache_tomcat Important https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34981
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-mppv-79ch-vw6q
cvssv3.1 7.5 https://github.com/apache/tomcat
generic_textual HIGH https://github.com/apache/tomcat
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae
generic_textual HIGH https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5
generic_textual HIGH https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442
generic_textual HIGH https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442
cvssv3.1 7.5 https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3
generic_textual HIGH https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3
cvssv3.1 7.5 https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
generic_textual HIGH https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
ssvc Track https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-34981
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-34981
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20230714-0003
generic_textual HIGH https://security.netapp.com/advisory/ntap-20230714-0003
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20230714-0003/
ssvc Track https://security.netapp.com/advisory/ntap-20230714-0003/
cvssv3.1 7.5 https://tomcat.apache.org/security-10.html
generic_textual HIGH https://tomcat.apache.org/security-10.html
cvssv3.1 7.5 https://tomcat.apache.org/security-11.html
generic_textual HIGH https://tomcat.apache.org/security-11.html
cvssv3.1 7.5 https://tomcat.apache.org/security-8.html
generic_textual HIGH https://tomcat.apache.org/security-8.html
cvssv3.1 7.5 https://tomcat.apache.org/security-9.html
generic_textual HIGH https://tomcat.apache.org/security-9.html
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34981.json
https://api.first.org/data/v1/epss?cve=CVE-2023-34981
https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae
https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5
https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442
https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3
https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
https://nvd.nist.gov/vuln/detail/CVE-2023-34981
https://security.netapp.com/advisory/ntap-20230714-0003
https://security.netapp.com/advisory/ntap-20230714-0003/
https://tomcat.apache.org/security-10.html
https://tomcat.apache.org/security-11.html
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
2216439 https://bugzilla.redhat.com/show_bug.cgi?id=2216439
cpe:2.3:a:apache:tomcat:10.1.8:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:10.1.8:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:11.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.5.88:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:8.5.88:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.74:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apache:tomcat:9.0.74:*:*:*:*:*:*:*
CVE-2023-34981 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34981
GHSA-mppv-79ch-vw6q https://github.com/advisories/GHSA-mppv-79ch-vw6q
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-34981.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bz.apache.org/bugzilla/show_bug.cgi?id=66512
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://bz.apache.org/bugzilla/show_bug.cgi?id=66591
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/tomcat
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/tomcat/commit/2214c8030522aa9b2a367dfa5d9acff1a03666ae
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/tomcat/commit/2f0ca2378415f4cf0748f4bc8fa955f41f803fa5
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/tomcat/commit/739c7381aed22b7636351caf885ddc519ab6b442
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/apache/tomcat/commit/f0742f47b98aca943097f7f88e0d1163f57527e3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T14:50:34Z/ Found at https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-34981
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20230714-0003
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20230714-0003/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-09T14:50:34Z/ Found at https://security.netapp.com/advisory/ntap-20230714-0003/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://tomcat.apache.org/security-10.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://tomcat.apache.org/security-11.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://tomcat.apache.org/security-8.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://tomcat.apache.org/security-9.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.45927
EPSS Score 0.00231
Published At June 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-01T12:16:02.535827+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json 36.1.3