A vulnerability was reported in Apache Tomcat. A remote user may be able to obtain information from a different request.
Apache Tomcat v7.0.0 - v7.0.11
When using HTTP pipelining, the system may return information from a different request to a remote user. The vulnerability resides in the HTTP BIO connector.
Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible.
Users of affected versions should apply one of the following mitigations.
Upgrade to a Tomcat 7.0.12 or later
Switch to the NIO or APR/native HTTP connectors that do not exhibit this issue