Critical severity9.1NVD Advisory· Published Apr 17, 2017· Updated May 13, 2026
CVE-2017-5648
CVE-2017-5648
Description
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-catalinaMaven | >= 9.0.0.M1, < 9.0.0.M18 | 9.0.0.M18 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.5.0, < 8.5.13 | 8.5.13 |
org.apache.tomcat:tomcat-catalinaMaven | >= 8.0.0, < 8.0.42 | 8.0.42 |
org.apache.tomcat:tomcat-catalinaMaven | >= 7.0.0, < 7.0.76 | 7.0.76 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 9.0.0.M1, < 9.0.0.M18 | 9.0.0.M18 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.5.0, < 8.5.13 | 8.5.13 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 8.0.0, < 8.0.42 | 8.0.42 |
org.apache.tomcat.embed:tomcat-embed-coreMaven | >= 7.0.0, < 7.0.76 | 7.0.76 |
Affected products
149cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*+ 147 more
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.51:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.58:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.60:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.66:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.70:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.71:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.72:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.73:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.74:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.75:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.25:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.34:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.36:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.37:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.38:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.39:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.40:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.41:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:8.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
- Apache Software Foundation/Apache Tomcatv5Range: 9.0.0.M1 to 9.0.0.M17
Patches
46bb36dfdf644Ensure request and response facades are used when firing application listeners.
4 files changed · +19 −16
java/org/apache/catalina/authenticator/FormAuthenticator.java+5 −6 modified@@ -406,9 +406,9 @@ protected void forwardToLoginPage(Request request, RequestDispatcher disp = context.getServletContext().getRequestDispatcher(loginPage); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t); @@ -450,12 +450,11 @@ protected void forwardToErrorPage(Request request, } RequestDispatcher disp = - context.getServletContext().getRequestDispatcher - (config.getErrorPage()); + context.getServletContext().getRequestDispatcher(config.getErrorPage()); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t);
java/org/apache/catalina/core/AsyncContextImpl.java+1 −1 modified@@ -135,7 +135,7 @@ public void fireOnComplete() { } } } finally { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); clearServletRequestResponse(); if (Globals.IS_SECURITY_ENABLED) { PrivilegedAction<Void> pa = new PrivilegedSetTccl(oldCL);
java/org/apache/catalina/core/StandardHostValve.java+9 −9 modified@@ -66,7 +66,7 @@ final class StandardHostValve extends ValveBase { static { STRICT_SERVLET_COMPLIANCE = Globals.STRICT_SERVLET_COMPLIANCE; - + String accessSession = System.getProperty( "org.apache.catalina.core.StandardHostValve.ACCESS_SESSION"); if (accessSession == null) { @@ -146,7 +146,7 @@ public final void invoke(Request request, Response response) if (Globals.IS_SECURITY_ENABLED) { PrivilegedAction<Void> pa = new PrivilegedSetTccl( context.getLoader().getClassLoader()); - AccessController.doPrivileged(pa); + AccessController.doPrivileged(pa); } else { Thread.currentThread().setContextClassLoader (context.getLoader().getClassLoader()); @@ -156,9 +156,9 @@ public final void invoke(Request request, Response response) request.setAsyncSupported(context.getPipeline().isAsyncSupported()); } - boolean asyncAtStart = request.isAsync(); + boolean asyncAtStart = request.isAsync(); boolean asyncDispatching = request.isAsyncDispatching(); - if (asyncAtStart || context.fireRequestInitEvent(request)) { + if (asyncAtStart || context.fireRequestInitEvent(request.getRequest())) { // Ask this Context to process this request. Requests that are in // async mode and are not being dispatched to this resource must be @@ -197,7 +197,7 @@ public final void invoke(Request request, Response response) if (!context.getState().isAvailable()) { return; } - + // Look for (and render if found) an application level error page if (response.isErrorReportRequired()) { if (t != null) { @@ -208,7 +208,7 @@ public final void invoke(Request request, Response response) } if (!request.isAsync() && !asyncAtStart) { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } @@ -222,7 +222,7 @@ public final void invoke(Request request, Response response) if (Globals.IS_SECURITY_ENABLED) { PrivilegedAction<Void> pa = new PrivilegedSetTccl( StandardHostValve.class.getClassLoader()); - AccessController.doPrivileged(pa); + AccessController.doPrivileged(pa); } else { Thread.currentThread().setContextClassLoader (StandardHostValve.class.getClassLoader()); @@ -258,7 +258,7 @@ public final void event(Request request, Response response, CometEvent event) // Ask this Context to process this request context.getPipeline().getFirst().event(request, response, event); - + // Error page processing response.setSuspended(false); @@ -469,7 +469,7 @@ private boolean custom(Request request, Response response, if (response.isCommitted()) { // Response is committed - including the error page is the - // best we can do + // best we can do rd.include(request.getRequest(), response.getResponse()); } else { // Reset the response (keeping the real error code and message)
webapps/docs/changelog.xml+4 −0 modified@@ -193,6 +193,10 @@ session - if there is a session - when running under a <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) </fix> + <fix> + Ensure request and response facades are used when firing application + listeners. (markt/remm) + </fix> </changelog> </subsection> </section>
6d73b079c55eEnsure request and response facades are used when firing application listeners.
4 files changed · +12 −9
java/org/apache/catalina/authenticator/FormAuthenticator.java+5 −6 modified@@ -394,9 +394,9 @@ protected void forwardToLoginPage(Request request, RequestDispatcher disp = context.getServletContext().getRequestDispatcher(loginPage); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t); @@ -438,12 +438,11 @@ protected void forwardToErrorPage(Request request, } RequestDispatcher disp = - context.getServletContext().getRequestDispatcher - (config.getErrorPage()); + context.getServletContext().getRequestDispatcher(config.getErrorPage()); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t);
java/org/apache/catalina/core/AsyncContextImpl.java+1 −1 modified@@ -113,7 +113,7 @@ public void fireOnComplete() { } } } finally { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); clearServletRequestResponse(); context.unbind(Globals.IS_SECURITY_ENABLED, oldCL); }
java/org/apache/catalina/core/StandardHostValve.java+2 −2 modified@@ -124,7 +124,7 @@ public final void invoke(Request request, Response response) try { context.bind(Globals.IS_SECURITY_ENABLED, MY_CLASSLOADER); - if (!asyncAtStart && !context.fireRequestInitEvent(request)) { + if (!asyncAtStart && !context.fireRequestInitEvent(request.getRequest())) { // Don't fire listeners during async processing (the listener // fired for the request that called startAsync()). // If a request init listener throws an exception, the request @@ -180,7 +180,7 @@ public final void invoke(Request request, Response response) } if (!request.isAsync() && !asyncAtStart) { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } finally { // Access a session (if present) to update last accessed time, based
webapps/docs/changelog.xml+4 −0 modified@@ -113,6 +113,10 @@ session - if there is a session - when running under a <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) </fix> + <fix> + Ensure request and response facades are used when firing application + listeners. (markt/remm) + </fix> </changelog> </subsection> <subsection name="Coyote">
0f7b9465d594Ensure request and response facades are used when firing application listeners.
4 files changed · +12 −9
java/org/apache/catalina/authenticator/FormAuthenticator.java+5 −6 modified@@ -427,9 +427,9 @@ protected void forwardToLoginPage(Request request, RequestDispatcher disp = context.getServletContext().getRequestDispatcher(loginPage); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t); @@ -471,12 +471,11 @@ protected void forwardToErrorPage(Request request, } RequestDispatcher disp = - context.getServletContext().getRequestDispatcher - (config.getErrorPage()); + context.getServletContext().getRequestDispatcher(config.getErrorPage()); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t);
java/org/apache/catalina/core/AsyncContextImpl.java+1 −1 modified@@ -112,7 +112,7 @@ public void fireOnComplete() { } } } finally { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); clearServletRequestResponse(); context.unbind(Globals.IS_SECURITY_ENABLED, oldCL); }
java/org/apache/catalina/core/StandardHostValve.java+2 −2 modified@@ -123,7 +123,7 @@ public final void invoke(Request request, Response response) try { context.bind(Globals.IS_SECURITY_ENABLED, MY_CLASSLOADER); - if (!asyncAtStart && !context.fireRequestInitEvent(request)) { + if (!asyncAtStart && !context.fireRequestInitEvent(request.getRequest())) { // Don't fire listeners during async processing (the listener // fired for the request that called startAsync()). // If a request init listener throws an exception, the request @@ -179,7 +179,7 @@ public final void invoke(Request request, Response response) } if (!request.isAsync() && !asyncAtStart) { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } finally { // Access a session (if present) to update last accessed time, based
webapps/docs/changelog.xml+4 −0 modified@@ -157,6 +157,10 @@ session - if there is a session - when running under a <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) </fix> + <fix> + Ensure request and response facades are used when firing application + listeners. (markt/remm) + </fix> </changelog> </subsection> <subsection name="Coyote">
dfa40863421dEnsure request and response facades are used when firing application listeners.
4 files changed · +12 −9
java/org/apache/catalina/authenticator/FormAuthenticator.java+5 −6 modified@@ -427,9 +427,9 @@ protected void forwardToLoginPage(Request request, RequestDispatcher disp = context.getServletContext().getRequestDispatcher(loginPage); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t); @@ -471,12 +471,11 @@ protected void forwardToErrorPage(Request request, } RequestDispatcher disp = - context.getServletContext().getRequestDispatcher - (config.getErrorPage()); + context.getServletContext().getRequestDispatcher(config.getErrorPage()); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t);
java/org/apache/catalina/core/AsyncContextImpl.java+1 −1 modified@@ -112,7 +112,7 @@ public void fireOnComplete() { } } } finally { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); clearServletRequestResponse(); context.unbind(Globals.IS_SECURITY_ENABLED, oldCL); }
java/org/apache/catalina/core/StandardHostValve.java+2 −2 modified@@ -123,7 +123,7 @@ public final void invoke(Request request, Response response) try { context.bind(Globals.IS_SECURITY_ENABLED, MY_CLASSLOADER); - if (!asyncAtStart && !context.fireRequestInitEvent(request)) { + if (!asyncAtStart && !context.fireRequestInitEvent(request.getRequest())) { // Don't fire listeners during async processing (the listener // fired for the request that called startAsync()). // If a request init listener throws an exception, the request @@ -179,7 +179,7 @@ public final void invoke(Request request, Response response) } if (!request.isAsync() && !asyncAtStart) { - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } finally { // Access a session (if present) to update last accessed time, based
webapps/docs/changelog.xml+4 −0 modified@@ -167,6 +167,10 @@ session - if there is a session - when running under a <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt) </fix> + <fix> + Ensure request and response facades are used when firing application + listeners. (markt/remm) + </fix> </changelog> </subsection> <subsection name="Coyote">
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
41- www.securityfocus.com/bid/97530nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-3vx3-xf6q-r5xpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5648ghsaADVISORY
- www.debian.org/security/2017/dsa-3842nvdWEB
- www.debian.org/security/2017/dsa-3843nvdWEB
- www.openwall.com/lists/oss-security/2020/07/20/8nvdWEB
- access.redhat.com/errata/RHSA-2017:1801nvdWEB
- access.redhat.com/errata/RHSA-2017:1802nvdWEB
- access.redhat.com/errata/RHSA-2017:1809nvdWEB
- github.com/apache/tomcat/commit/0f7b9465d594b9814e1853d1e3a6e3aa51a21610ghsaWEB
- github.com/apache/tomcat/commit/6bb36dfdf6444efda074893dff493b9eb3648808ghsaWEB
- github.com/apache/tomcat/commit/dfa40863421d7681fed893b4256666491887e38cghsaWEB
- github.com/apache/tomcat80/commit/6d73b079c55ee25dea1bbd0556bb568a4247dacdghsaWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600%40%3Cannounce.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/d0e00f2e147a9e9b13a6829133092f349b2882bf6860397368a52600@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.gentoo.org/glsa/201705-09nvdWEB
- security.netapp.com/advisory/ntap-20180614-0001ghsaWEB
- web.archive.org/web/20170417124117/http://www.securityfocus.com/bid/97530ghsaWEB
- web.archive.org/web/20170420115120/http://www.securitytracker.com/id/1038220ghsaWEB
- www.securitytracker.com/id/1038220nvd
- security.netapp.com/advisory/ntap-20180614-0001/nvd
News mentions
0No linked articles in our index yet.