Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34...
High severity
Unreviewed
Published
May 13, 2022
to the GitHub Advisory Database
•
Updated Feb 1, 2023
Description
Published by the National Vulnerability Database
Jul 31, 2018
Published to the GitHub Advisory Database
May 13, 2022
Last updated
Feb 1, 2023
Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly identified, allowing for users to authenticate with revoked certificates to connections that require mutual TLS. Users not using OCSP checks are not affected by this vulnerability.
References