What is the severity of CVE-2023-34981?

The severity of CVE-2023-34981 is high.

Which versions of Apache Tomcat are affected by CVE-2023-34981?

Apache Tomcat versions 8.5.88, 9.0.74, 10.1.8, and 11.0.0-M5 are affected by CVE-2023-34981.

How does CVE-2023-34981 affect Apache Tomcat?

CVE-2023-34981 in Apache Tomcat can cause a regression in the fix for bug 66512, resulting in the failure to send AJP SEND_HEADERS messages for responses without any HTTP headers.

How can I fix CVE-2023-34981 in Apache Tomcat?

To fix CVE-2023-34981, upgrade to Apache Tomcat versions 8.5.89, 9.0.75, 10.1.9, or 11.0.0-M6.

Where can I find more information about CVE-2023-34981?

You can find more information about CVE-2023-34981 at the following references: [Link 1](https://nvd.nist.gov/vuln/detail/CVE-2023-34981), [Link 2](https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz), [Link 3](https://bz.apache.org/bugzilla/show_bug.cgi?id=66512).

Vulnerability/
CVE-2023-34981

high

7.5

CWE

732

21/6/2023

9/10/2024

CVE-2023-34981: Apache Tomcat: AJP response header mix-up

First published: Wed Jun 21 2023(Updated: )

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS message would be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
Apache Tomcat	=8.5.88
Apache Tomcat	=9.0.74
Apache Tomcat	=10.1.8
Apache Tomcat	=11.0.0-milestone5
maven/org.apache.tomcat:tomcat-coyote	=8.5.88	8.5.89
maven/org.apache.tomcat.embed:tomcat-embed-core	=9.0.74	9.0.75
maven/org.apache.tomcat.embed:tomcat-embed-core	=10.1.8	10.1.9
maven/org.apache.tomcat.embed:tomcat-embed-core	=11.0.0-M5	11.0.0-M6
IBM QRadar SIEM	<=7.5.0 - 7.5.0 UP6
	=8.5.88
	=9.0.74
	=10.1.8
	=11.0.0-milestone5

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

IBM-7049133

Frequently Asked Questions

What is the severity of CVE-2023-34981?
The severity of CVE-2023-34981 is high.
Which versions of Apache Tomcat are affected by CVE-2023-34981?
Apache Tomcat versions 8.5.88, 9.0.74, 10.1.8, and 11.0.0-M5 are affected by CVE-2023-34981.
How does CVE-2023-34981 affect Apache Tomcat?
CVE-2023-34981 in Apache Tomcat can cause a regression in the fix for bug 66512, resulting in the failure to send AJP SEND_HEADERS messages for responses without any HTTP headers.
How can I fix CVE-2023-34981 in Apache Tomcat?
To fix CVE-2023-34981, upgrade to Apache Tomcat versions 8.5.89, 9.0.75, 10.1.9, or 11.0.0-M6.
Where can I find more information about CVE-2023-34981?
You can find more information about CVE-2023-34981 at the following references: [Link 1](https://nvd.nist.gov/vuln/detail/CVE-2023-34981), [Link 2](https://lists.apache.org/thread/j1ksjh9m9gx1q60rtk1sbzmxhvj5h5qz), [Link 3](https://bz.apache.org/bugzilla/show_bug.cgi?id=66512).

collector/nvd-index
agent/type
agent/severity
agent/author
agent/references
collector/nvd-cve
source/NVD
agent/software-canonical-lookup
collector/github-advisory-latest
source/GitHub
alias/GHSA-mppv-79ch-vw6q
alias/CVE-2023-34981
agent/description
collector/github-advisory
agent/softwarecombine
collector/ibm-support
source/IBM
agent/title
agent/event
agent/first-publish-date
collector/mitre-cve
source/MITRE
collector/nvd-api
agent/last-modified-date
agent/weakness
agent/tags
vendor/apache
canonical/apache tomcat
version/apache tomcat/8.5.88
version/apache tomcat/9.0.74
version/apache tomcat/10.1.8
version/apache tomcat/11.0.0-milestone5
package-manager/maven
vendor/ibm
canonical/ibm qradar siem
version/ibm qradar siem/7.5.0 - 7.5.0 up6