Medium
Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by an issue with the HTTP request header value can be reused from the previous stream received on an HTTP/2 connection. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.
Information disclosure
Apache Tomcat
Upgrade to the latest version of Apache Tomcat (8.5.60, 9.0.40, 10.0.0-M10 or later).