CVE-2023-34981: 
Java vulnerability analysis and mitigation

A regression in the fix for bug 66512 was identified in Apache Tomcat versions 11.0.0-M5, 10.1.8, 9.0.74, and 8.5.88. The vulnerability was discovered in June 2023 and assigned CVE-2023-34981. The issue affects Apache Tomcat's handling of HTTP headers in AJP responses (Apache Advisory, NVD).

The vulnerability occurs when a response does not include any HTTP headers, resulting in no AJP SEND_HEADERS message being sent for the response. This technical flaw has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility with low attack complexity and no required privileges or user interaction (NVD, NetApp Advisory).

When exploited, this vulnerability leads to an information leak where at least one AJP proxy (modproxyajp) would use the response headers from the previous request. This could result in the disclosure of sensitive information from previous responses (NVD).

The vulnerability has been addressed in subsequent versions of Apache Tomcat. Users should upgrade to versions newer than 11.0.0-M5, 10.1.8, 9.0.74, and 8.5.88 to mitigate this security issue (Debian Security).