The host is installed with Apache Tomcat 10.0.0-M1 through 10.0.0, 9.0.0.M1 through 9.0.41 or 8.5.0 through 8.5.61 and is prone to an information disclosure vulnerability. A flaw is present in application, which fails to handle new h2c connection requests. Successful exploitation allows attackers to duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.