## Critical Information Disclosure Flaw Found in Apache Tomcat JsonAccessLogValve — Patch to 9.0.116 Required
A high-severity information disclosure vulnerability has been identified in Apache Tomcat's JsonAccessLogValve component, stemming from improper encoding of logged data. The flaw allows an attacker to potentially access sensitive information through manipulated HTTP requests that exploit how access logs are formatted and written. Organizations running affected versions of Apache Tomcat face increased risk of data leakage through the access logging mechanism itself.

The vulnerability specifically affects how JsonAccessLogValve handles and encodes data within JSON-formatted access logs. Improper encoding means that certain characters or request parameters could be rendered in ways that expose backend system details, session tokens, query parameters, or other data that should remain protected. Attackers could craft specific requests designed to trigger unintended data inclusion in log output, which could then be harvested through log inspection or injection attacks. The flaw is particularly concerning because access logs are often stored alongside application data or processed by centralized logging systems.

The Apache Tomcat project has addressed this vulnerability in version 9.0.116 and later releases. Organizations running earlier versions of the 9.x branch should update immediately. Given the widespread deployment of Apache Tomcat across enterprise Java applications, this vulnerability carries significant implications for web-facing services and internal application infrastructure. Security teams should audit their logging configurations and consider restricting access to log files while the patching process is underway.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: apache-tomcat, information-disclosure, jsonaccesslogvalve, vulnerability, security-patch
- **Credibility**: unverified
- **Published**: 2026-05-07 09:31:44
- **ID**: 80114
- **URL**: https://whisperx.ai/en/intel/80114