CVE-2005-3164

Description

The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsuitable request body data" is used for a different request, possibly related to Java Servlet pages.

How to fix CVE-2005-3164

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• Maven/org.apache.tomcat:tomcat—no fix listed

Is CVE-2005-3164 being exploited?

Low — EPSS is 3.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 4.0.1, <= 4.0.6

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2005-3164
• WEBjvn.jp/jp/JVN%2379314822/index.html
• WEBlists.apple.com/archives/security-announce/2008//Jun/msg00002.html
• WEBlists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E