Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.tomcat/tomcat@9.0.83
Typemaven
Namespaceorg.apache.tomcat
Nametomcat
Version9.0.83
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version9.0.86
Latest_non_vulnerable_version11.0.18
Affected_by_vulnerabilities
0
url VCID-s93z-rmw7-5bcw
vulnerability_id VCID-s93z-rmw7-5bcw
summary 
Apache Tomcat Native OCSP verification bypass
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat.

When using an OCSP responder, Tomcat Native did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed.

The vulnerable code is in the process_ocsp_response() function in sslutils.c, which was missing calls to OCSP_basic_verify(), OCSP_check_validity(), and OCSP_check_nonce().

This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39.

Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue.
references
0
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
url https://github.com/apache/tomcat
1
reference_url https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
reference_id
reference_type
scores
url https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-24734
reference_id CVE-2026-24734
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2026-24734
3
reference_url https://github.com/advisories/GHSA-mgp5-rv84-w37q
reference_id GHSA-mgp5-rv84-w37q
reference_type
scores
url https://github.com/advisories/GHSA-mgp5-rv84-w37q
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.115
purl pkg:maven/org.apache.tomcat/tomcat@9.0.115
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.115
1
url pkg:maven/org.apache.tomcat/tomcat@10.1.52
purl pkg:maven/org.apache.tomcat/tomcat@10.1.52
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.52
2
url pkg:maven/org.apache.tomcat/tomcat@11.0.18
purl pkg:maven/org.apache.tomcat/tomcat@11.0.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.18
aliases CVE-2026-24734, GHSA-mgp5-rv84-w37q
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s93z-rmw7-5bcw
Fixing_vulnerabilities
0
url VCID-zba8-2zc4-9qfh
vulnerability_id VCID-zba8-2zc4-9qfh
summary 
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 does not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single 
request as multiple requests leading to the possibility of request 
smuggling when behind a reverse proxy.

Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
references
0
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
url https://github.com/apache/tomcat
1
reference_url https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b
2
reference_url https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd
3
reference_url https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642
4
reference_url https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08
5
reference_url https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
reference_id
reference_type
scores
url https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
6
reference_url https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html
7
reference_url https://security.netapp.com/advisory/ntap-20231214-0009
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20231214-0009
8
reference_url https://tomcat.apache.org/security-10.html
reference_id
reference_type
scores
url https://tomcat.apache.org/security-10.html
9
reference_url https://tomcat.apache.org/security-11.html
reference_id
reference_type
scores
url https://tomcat.apache.org/security-11.html
10
reference_url https://tomcat.apache.org/security-8.html
reference_id
reference_type
scores
url https://tomcat.apache.org/security-8.html
11
reference_url https://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
url https://tomcat.apache.org/security-9.html
12
reference_url https://www.openwall.com/lists/oss-security/2023/11/28/2
reference_id
reference_type
scores
url https://www.openwall.com/lists/oss-security/2023/11/28/2
13
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46589
reference_id CVE-2023-46589
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-46589
14
reference_url https://github.com/advisories/GHSA-fccv-jmmp-qg76
reference_id GHSA-fccv-jmmp-qg76
reference_type
scores
url https://github.com/advisories/GHSA-fccv-jmmp-qg76
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@8.5.96
purl pkg:maven/org.apache.tomcat/tomcat@8.5.96
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@8.5.96
1
url pkg:maven/org.apache.tomcat/tomcat@9.0.83
purl pkg:maven/org.apache.tomcat/tomcat@9.0.83
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-s93z-rmw7-5bcw
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.83
2
url pkg:maven/org.apache.tomcat/tomcat@10.1.16
purl pkg:maven/org.apache.tomcat/tomcat@10.1.16
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.16
aliases CVE-2023-46589, GHSA-fccv-jmmp-qg76
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zba8-2zc4-9qfh
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.83