Red Hat Security Advisory 2013-0265-01 - Apache Tomcat is a servlet container. It was found that sending a request without a session identifier to a protected resource could bypass the Cross-Site Request Forgery prevention filter. A remote attacker could use this flaw to perform CSRF attacks against applications that rely on the CSRF prevention filter and do not contain internal mitigation for CSRF. A flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO connector and HTTPS. A remote attacker could use this flaw to cause a denial of service. The HTTP NIO connector is used by default in JBoss Enterprise Web Server. The Apache Portable Runtime connector from the Tomcat Native library was not affected by this flaw.
6511b80f8afd37774dceb238e867e6df16dccae6e5a11cbab1bec49a8584d7f2