VYPR
High severity7.5NVD Advisory· Published Aug 10, 2017· Updated Jun 17, 2026

CVE-2016-8745

CVE-2016-8745

Description

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat:tomcat-utilMaven
>= 9.0.0.M1, < 9.0.0.M149.0.0.M14
org.apache.tomcat:tomcat-utilMaven
>= 8.5.0, < 8.5.98.5.9
org.apache.tomcat:tomcat-utilMaven
>= 8.0.0-RC1, < 8.0.418.0.41
org.apache.tomcat:tomcat-utilMaven
>= 7.0.0, < 7.0.757.0.75
org.apache.tomcat:tomcat-utilMaven
>= 6.0.16, < 6.0.506.0.50

Affected products

154
  • Apache/Tomcat138 versions
    cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*+ 137 more
    • cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.39:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
    • cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
  • ghsa-coords15 versions
    >= 9.0.0.M1, < 9.0.0.M14+ 14 more
    • (no CPE)range: >= 9.0.0.M1, < 9.0.0.M14
    • (no CPE)range: < 10.1.14-1.1
    • (no CPE)range: < 9.0.36-8.4
    • (no CPE)range: < 6.0.53-0.56.1
    • (no CPE)range: < 6.0.53-0.56.1
    • (no CPE)range: < 6.0.53-0.56.1
    • (no CPE)range: < 6.0.53-0.56.1
    • (no CPE)range: < 6.0.53-0.56.1
    • (no CPE)range: < 8.0.43-10.19.1
    • (no CPE)range: < 8.0.43-23.1
    • (no CPE)range: < 7.0.78-7.13.4
    • (no CPE)range: < 8.0.43-23.1
    • (no CPE)range: < 7.0.78-7.13.4
    • (no CPE)range: < 8.0.43-10.19.1
    • (no CPE)range: < 8.0.43-23.1
  • Apache Software Foundation/Apache Tomcatv5
    Range: 9.0.0.M1 to 9.0.0.M13

Patches

Vulnerability mechanics

References

56

News mentions

0

No linked articles in our index yet.