cvedb.io
CVE-2017-15698
MEDIUM · CVSS 5.9
EPSS exploitation probability: 0%
Published 2018-01-31T14:29:00.467 · Last modified 2026-06-17T01:08:06.993

Summary

When parsing the AIA-Extension field of a client certificate, Apache Tomcat Native Connector 1.2.0 to 1.2.14 and 1.1.23 to 1.1.34 did not correctly handle fields longer than 127 bytes. The result of the parsing error was to skip the OCSP check. It was therefore possible for client certificates that should have been rejected (if the OCSP check had been made) to be accepted. Users not using OCSP checks are not affected by this vulnerability.

Affected products

apache — tomcat_native

Does this affect you?

Add your gear to cvedb and we'll alert you only when apache ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.