**Important: Request mix-up** [CVE-2022-25762]()
If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
This was fixed with commit [01f2cf25]().
This issue was identified by the Apache Tomcat Security Team on 21 December 2021. The issue was made public on 12 May 2022.
Affects: 8.5.0 to 8.5.75Read More
References
Back to Main