VDB
RHSA-2018%3A2867
RHSA-2018%3A2867
PUBLISHED
CVSS 9.100000381469727 CRITICAL
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
Risk Scores
CVSS 3.0
9.100000381469727
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat JBoss Web Server 5.0 |
Timeline
- Oct 3, 2018 CVE Published
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Distribution Patch
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- Apr 30, 2026 Security Advisory
- May 14, 2026 CVE Updated
References
- https://access.redhat.com/errata/RHSA-2018:2867 advisory
- https://access.redhat.com/security/updates/classification/#important advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1607582 issue
- https://issues.redhat.com/browse/JWS-1028 advisory
- https://issues.redhat.com/browse/JWS-1064 advisory
- https://issues.redhat.com/browse/JWS-1065 advisory
- https://issues.redhat.com/browse/JWS-1121 advisory
- https://issues.redhat.com/browse/JWS-1124 advisory
- https://issues.redhat.com/browse/JWS-996 advisory
- https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2867.json advisory
- https://access.redhat.com/security/cve/CVE-2018-8037 advisory
- https://www.cve.org/CVERecord?id=CVE-2018-8037 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2018-8037 advisory
- https://access.redhat.com/security/cve/CVE-2018-11784 advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1636512 issue
- https://www.cve.org/CVERecord?id=CVE-2018-11784 advisory
- https://nvd.nist.gov/vuln/detail/CVE-2018-11784 advisory
- http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.91 advisory
- http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.34 advisory
- http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.12 advisory