A vulnerability in the embedded Tomcat can lead to users seeing responses for unexpected resources. This problem is only related to HTTP/2.
Full Problem Description
If an HTTP/2 client exceeded the agreed maximum number of concurrent
streams for a connection (in violation of the HTTP/2 protocol), it was
possible that a subsequent request made on that connection could contain
HTTP headers - including HTTP/2 pseudo headers - from a previous request
rather than the intended headers. This could lead to users seeing
responses for unexpected resources.
Upcoming Releases of the Axon.ivy Digital Business Platform ⭐ will come with latest Tomcat:
- 9.2.0 = Tomcat 9.0.39
- 8.0.10 = Tomcat 9.0.39
- 7.0.21 = Tomcat 8.5.59