Description
* It was discovered that the code that parsed the HTTP request line permitted
invalid characters. This could be exploited, in conjunction with a proxy that
also permitted the invalid characters but with a different interpretation, to
inject data into the HTTP response. By manipulating the HTTP response the
attacker could poison a web-cache, perform an XSS attack, or obtain sensitive
information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO
HTTP connector. This led to the current Processor object being added to the
Processor cache multiple times allowing information leakage between requests
including, and not limited to, session ID and the response body. (CVE-2016-8745)