Search for packages
| purl | pkg:apache/tomcat@8.5.85 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-6kcx-vptm-zbds
Aliases: CVE-2023-42794 GHSA-jm7m-8jh6-29hp |
Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-v7tp-1t4h-zqeg
Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xgr8-tpv5-q3b2
Aliases: CVE-2023-28709 GHSA-cx6h-86xw-9x34 |
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-56jv-htmt-rkew | Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. |
CVE-2023-24998
GHSA-hfrx-6qgj-fp6c |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:10.267854+00:00 | Apache Tomcat Importer | Fixing | VCID-56jv-htmt-rkew | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:10.236831+00:00 | Apache Tomcat Importer | Affected by | VCID-v7tp-1t4h-zqeg | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:10.203366+00:00 | Apache Tomcat Importer | Affected by | VCID-xgr8-tpv5-q3b2 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:10.116141+00:00 | Apache Tomcat Importer | Affected by | VCID-6kcx-vptm-zbds | https://tomcat.apache.org/security-8.html | 38.0.0 |