Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.tomcat/tomcat@9.0.76
Typemaven
Namespaceorg.apache.tomcat
Nametomcat
Version9.0.76
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version9.0.117
Latest_non_vulnerable_version11.0.21
Affected_by_vulnerabilities
0
url VCID-2zq1-na8s-mfdd
vulnerability_id VCID-2zq1-na8s-mfdd
summary 
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service.

This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5.
The following versions were EOL at the time the CVE was created but are 
known to be affected: 8.5.90 though 8.5.100.


Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-31650.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-31650.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-31650
reference_id
reference_type
scores
0
value 0.09547
scoring_system epss
scoring_elements 0.92869
published_at 2026-04-21T12:55:00Z
1
value 0.09547
scoring_system epss
scoring_elements 0.92865
published_at 2026-04-18T12:55:00Z
2
value 0.09547
scoring_system epss
scoring_elements 0.92864
published_at 2026-04-16T12:55:00Z
3
value 0.09547
scoring_system epss
scoring_elements 0.92845
published_at 2026-04-08T12:55:00Z
4
value 0.09547
scoring_system epss
scoring_elements 0.92854
published_at 2026-04-13T12:55:00Z
5
value 0.09547
scoring_system epss
scoring_elements 0.92849
published_at 2026-04-09T12:55:00Z
6
value 0.09547
scoring_system epss
scoring_elements 0.92836
published_at 2026-04-07T12:55:00Z
7
value 0.09547
scoring_system epss
scoring_elements 0.92838
published_at 2026-04-04T12:55:00Z
8
value 0.09547
scoring_system epss
scoring_elements 0.92834
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-31650
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/1eef1dc459c45f1e421d8bd25ef340fc1cc34edc
5
reference_url https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/40ae788c2e64d018b4e58cd4210bb96434d0100d
6
reference_url https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/75554da2fc5574862510ae6f0d7b3d78937f1d40
7
reference_url https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/8cc3b8fb3f2d8d4d6a757e014f19d1fafa948a60
8
reference_url https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9
9
reference_url https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/b98e74f517b36929f4208506e5adad22cb767baa
10
reference_url https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/cba1a0fe1289ee7f5dd46c61c38d1e1ac5437bff
11
reference_url https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/ded0285b96b4d3f5560dfc8856ad5ec4a9b50ba9
12
reference_url https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/f619e6a05029538886d5a9d987925d573b5bb8c2
13
reference_url https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-06T20:07:38Z/
url https://lists.apache.org/thread/j6zzk0y3yym9pzfzkq5vcyxzz0yzh826
14
reference_url https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/07/msg00009.html
15
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-31650
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-31650
16
reference_url https://tomcat.apache.org/security-10.html
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-10.html
17
reference_url https://tomcat.apache.org/security-11.html
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-11.html
18
reference_url https://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-9.html
19
reference_url http://www.openwall.com/lists/oss-security/2025/04/28/2
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2025/04/28/2
20
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2362783
reference_id 2362783
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2362783
21
reference_url https://security.archlinux.org/AVG-2888
reference_id AVG-2888
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2888
22
reference_url https://security.archlinux.org/AVG-2889
reference_id AVG-2889
reference_type
scores
0
value High
scoring_system archlinux
scoring_elements
url https://security.archlinux.org/AVG-2889
23
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31650
reference_id CVE-2025-31650
reference_type
scores
0
value Important
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-31650
24
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52318.py
reference_id CVE-2025-31650
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/multiple/remote/52318.py
25
reference_url https://github.com/advisories/GHSA-3p2h-wqq4-wf4h
reference_id GHSA-3p2h-wqq4-wf4h
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3p2h-wqq4-wf4h
26
reference_url https://access.redhat.com/errata/RHSA-2025:11332
reference_id RHSA-2025:11332
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:11332
27
reference_url https://access.redhat.com/errata/RHSA-2025:11333
reference_id RHSA-2025:11333
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:11333
28
reference_url https://access.redhat.com/errata/RHSA-2025:11334
reference_id RHSA-2025:11334
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:11334
29
reference_url https://access.redhat.com/errata/RHSA-2025:11335
reference_id RHSA-2025:11335
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:11335
30
reference_url https://access.redhat.com/errata/RHSA-2025:11381
reference_id RHSA-2025:11381
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:11381
31
reference_url https://access.redhat.com/errata/RHSA-2025:11382
reference_id RHSA-2025:11382
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:11382
32
reference_url https://access.redhat.com/errata/RHSA-2025:3608
reference_id RHSA-2025:3608
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3608
33
reference_url https://access.redhat.com/errata/RHSA-2025:3609
reference_id RHSA-2025:3609
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3609
34
reference_url https://access.redhat.com/errata/RHSA-2025:4521
reference_id RHSA-2025:4521
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4521
35
reference_url https://access.redhat.com/errata/RHSA-2025:4522
reference_id RHSA-2025:4522
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4522
36
reference_url https://usn.ubuntu.com/7705-1/
reference_id USN-7705-1
reference_type
scores
url https://usn.ubuntu.com/7705-1/
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.104
purl pkg:maven/org.apache.tomcat/tomcat@9.0.104
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-sr8e-w1qk-r7fz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.104
1
url pkg:maven/org.apache.tomcat/tomcat@10.1.40
purl pkg:maven/org.apache.tomcat/tomcat@10.1.40
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-sr8e-w1qk-r7fz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.40
2
url pkg:maven/org.apache.tomcat/tomcat@11.0.6
purl pkg:maven/org.apache.tomcat/tomcat@11.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
1
vulnerability VCID-sr8e-w1qk-r7fz
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.6
aliases CVE-2025-31650, GHSA-3p2h-wqq4-wf4h
risk_score 10.0
exploitability 2.0
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2zq1-na8s-mfdd
1
url VCID-6kcx-vptm-zbds
vulnerability_id VCID-6kcx-vptm-zbds
summary 
Incomplete Cleanup vulnerability in Apache Tomcat.

The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, 
in progress refactoring that exposed a potential denial of service on 
Windows if a web application opened a stream for an uploaded file but 
failed to close the stream. The file would never be deleted from disk 
creating the possibility of an eventual denial of service due to the 
disk being full.

Other, EOL versions may also be affected.


Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-42794.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-42794
reference_id
reference_type
scores
0
value 0.00355
scoring_system epss
scoring_elements 0.57854
published_at 2026-04-21T12:55:00Z
1
value 0.00355
scoring_system epss
scoring_elements 0.57876
published_at 2026-04-18T12:55:00Z
2
value 0.00355
scoring_system epss
scoring_elements 0.57877
published_at 2026-04-16T12:55:00Z
3
value 0.00355
scoring_system epss
scoring_elements 0.57848
published_at 2026-04-13T12:55:00Z
4
value 0.00355
scoring_system epss
scoring_elements 0.57869
published_at 2026-04-12T12:55:00Z
5
value 0.00355
scoring_system epss
scoring_elements 0.57891
published_at 2026-04-11T12:55:00Z
6
value 0.00355
scoring_system epss
scoring_elements 0.57874
published_at 2026-04-09T12:55:00Z
7
value 0.00355
scoring_system epss
scoring_elements 0.57873
published_at 2026-04-08T12:55:00Z
8
value 0.00355
scoring_system epss
scoring_elements 0.57818
published_at 2026-04-07T12:55:00Z
9
value 0.00355
scoring_system epss
scoring_elements 0.57824
published_at 2026-04-02T12:55:00Z
10
value 0.00355
scoring_system epss
scoring_elements 0.57844
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-42794
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/43b882b8a577684498ab9b8851aa0427216784f7
5
reference_url https://github.com/apache/tomcat/commit/c99ffc30e95ddc4daede564d08cb5ea2b9a9da65
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/c99ffc30e95ddc4daede564d08cb5ea2b9a9da65
6
reference_url https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.apache.org/thread/vvbr2ms7lockj1hlhz5q3wmxb2mwcw82
7
reference_url http://www.openwall.com/lists/oss-security/2023/10/10/8
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2023/10/10/8
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2243751
reference_id 2243751
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2243751
9
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794
reference_id CVE-2023-42794
reference_type
scores
0
value Low
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42794
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-42794
reference_id CVE-2023-42794
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-42794
11
reference_url https://github.com/advisories/GHSA-jm7m-8jh6-29hp
reference_id GHSA-jm7m-8jh6-29hp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-jm7m-8jh6-29hp
12
reference_url https://access.redhat.com/errata/RHSA-2023:7623
reference_id RHSA-2023:7623
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:7623
13
reference_url https://access.redhat.com/errata/RHSA-2024:0125
reference_id RHSA-2024:0125
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0125
14
reference_url https://access.redhat.com/errata/RHSA-2024:0474
reference_id RHSA-2024:0474
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0474
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.81
purl pkg:maven/org.apache.tomcat/tomcat@9.0.81
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-b3bb-9ajg-sfc9
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.81
aliases CVE-2023-42794, GHSA-jm7m-8jh6-29hp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6kcx-vptm-zbds
2
url VCID-b3bb-9ajg-sfc9
vulnerability_id VCID-b3bb-9ajg-sfc9
summary 
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single 
request as multiple requests leading to the possibility of request 
smuggling when behind a reverse proxy.


Older, EOL versions may also be affected.


Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46589.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-46589.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-46589
reference_id
reference_type
scores
0
value 0.51432
scoring_system epss
scoring_elements 0.97896
published_at 2026-04-18T12:55:00Z
1
value 0.51432
scoring_system epss
scoring_elements 0.97895
published_at 2026-04-16T12:55:00Z
2
value 0.51432
scoring_system epss
scoring_elements 0.97888
published_at 2026-04-13T12:55:00Z
3
value 0.51432
scoring_system epss
scoring_elements 0.97885
published_at 2026-04-11T12:55:00Z
4
value 0.51432
scoring_system epss
scoring_elements 0.9788
published_at 2026-04-08T12:55:00Z
5
value 0.51432
scoring_system epss
scoring_elements 0.97875
published_at 2026-04-07T12:55:00Z
6
value 0.51432
scoring_system epss
scoring_elements 0.97872
published_at 2026-04-04T12:55:00Z
7
value 0.51432
scoring_system epss
scoring_elements 0.97871
published_at 2026-04-02T12:55:00Z
8
value 0.51432
scoring_system epss
scoring_elements 0.97886
published_at 2026-04-12T12:55:00Z
9
value 0.51432
scoring_system epss
scoring_elements 0.97882
published_at 2026-04-09T12:55:00Z
10
value 0.57888
scoring_system epss
scoring_elements 0.98185
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-46589
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat
4
reference_url https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b
5
reference_url https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/7a2d8818fcea0b51747a67af9510ce7977245ebd
6
reference_url https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/aa92971e879a519384c517febc39fd04c48d4642
7
reference_url https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08
8
reference_url https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-11T16:04:24Z/
url https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr
9
reference_url https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2024/01/msg00001.html
10
reference_url https://security.netapp.com/advisory/ntap-20231214-0009
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231214-0009
11
reference_url https://tomcat.apache.org/security-10.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-10.html
12
reference_url https://tomcat.apache.org/security-11.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-11.html
13
reference_url https://tomcat.apache.org/security-8.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-8.html
14
reference_url https://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://tomcat.apache.org/security-9.html
15
reference_url https://www.openwall.com/lists/oss-security/2023/11/28/2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-07-11T16:04:24Z/
url https://www.openwall.com/lists/oss-security/2023/11/28/2
16
reference_url http://www.openwall.com/lists/oss-security/2023/11/28/2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2023/11/28/2
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057082
reference_id 1057082
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057082
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2252050
reference_id 2252050
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2252050
19
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46589
reference_id CVE-2023-46589
reference_type
scores
0
value Important
scoring_system apache_tomcat
scoring_elements
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46589
20
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-46589
reference_id CVE-2023-46589
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-46589
21
reference_url https://github.com/advisories/GHSA-fccv-jmmp-qg76
reference_id GHSA-fccv-jmmp-qg76
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fccv-jmmp-qg76
22
reference_url https://access.redhat.com/errata/RHSA-2024:0532
reference_id RHSA-2024:0532
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0532
23
reference_url https://access.redhat.com/errata/RHSA-2024:0539
reference_id RHSA-2024:0539
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:0539
24
reference_url https://access.redhat.com/errata/RHSA-2024:1092
reference_id RHSA-2024:1092
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1092
25
reference_url https://access.redhat.com/errata/RHSA-2024:1134
reference_id RHSA-2024:1134
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1134
26
reference_url https://access.redhat.com/errata/RHSA-2024:1318
reference_id RHSA-2024:1318
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1318
27
reference_url https://access.redhat.com/errata/RHSA-2024:1319
reference_id RHSA-2024:1319
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1319
28
reference_url https://access.redhat.com/errata/RHSA-2024:1324
reference_id RHSA-2024:1324
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1324
29
reference_url https://access.redhat.com/errata/RHSA-2024:1325
reference_id RHSA-2024:1325
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1325
30
reference_url https://usn.ubuntu.com/7032-1/
reference_id USN-7032-1
reference_type
scores
url https://usn.ubuntu.com/7032-1/
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.83
purl pkg:maven/org.apache.tomcat/tomcat@9.0.83
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-74tx-sx8a-guhs
1
vulnerability VCID-8war-4v58-eub2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.83
1
url pkg:maven/org.apache.tomcat/tomcat@10.1.16
purl pkg:maven/org.apache.tomcat/tomcat@10.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8war-4v58-eub2
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.16
2
url pkg:maven/org.apache.tomcat/tomcat@11.0.0-M11
purl pkg:maven/org.apache.tomcat/tomcat@11.0.0-M11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-5781-s1ny-q7ey
1
vulnerability VCID-8war-4v58-eub2
2
vulnerability VCID-n9yk-e49f-n7e7
3
vulnerability VCID-rzj2-4kcj-43dq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.0-M11
3
url pkg:maven/org.apache.tomcat/tomcat@11.0.1
purl pkg:maven/org.apache.tomcat/tomcat@11.0.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-43j2-w5xt-43g9
1
vulnerability VCID-8war-4v58-eub2
2
vulnerability VCID-gvhy-d4gm-57d3
3
vulnerability VCID-v8ku-sjc8-wfga
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.1
aliases CVE-2023-46589, GHSA-fccv-jmmp-qg76
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b3bb-9ajg-sfc9
Fixing_vulnerabilities
Risk_score10.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.76