Search for packages
| purl | pkg:apache/tomcat@10.1.0-M14 |
| Next non-vulnerable version | 10.1.0-M15 |
| Latest non-vulnerable version | 11.0.21 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-qkx6-32cj-jfbp
Aliases: CVE-2022-29885 GHSA-r84p-88g2-2vx2 |
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-j8tk-s915-pbfy | The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. |
CVE-2021-43980
GHSA-jx7c-7mj5-9438 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:06.042428+00:00 | Apache Tomcat Importer | Fixing | VCID-j8tk-s915-pbfy | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:05.982173+00:00 | Apache Tomcat Importer | Affected by | VCID-qkx6-32cj-jfbp | https://tomcat.apache.org/security-10.html | 38.0.0 |