VulnerableCode Package Details - pkg:deb/debian/tomcat10@10.1.10-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-5732-xnx7-tkfy	A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.	CVE-2023-34981 GHSA-mppv-79ch-vw6q
VCID-xgr8-tpv5-q3b2	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.	CVE-2023-28709 GHSA-cx6h-86xw-9x34

Vulnerability

Summary

Aliases

VCID-5732-xnx7-tkfy

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

CVE-2023-34981
GHSA-mppv-79ch-vw6q

VCID-xgr8-tpv5-q3b2

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

CVE-2023-28709
GHSA-cx6h-86xw-9x34

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:33:54.016768+00:00	Debian Importer	Fixing	VCID-5732-xnx7-tkfy	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:47:02.120139+00:00	Debian Importer	Fixing	VCID-xgr8-tpv5-q3b2	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:59:31.951636+00:00	Debian Importer	Fixing	VCID-xgr8-tpv5-q3b2	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:38:52.544733+00:00	Debian Importer	Fixing	VCID-5732-xnx7-tkfy	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:55:20.741715+00:00	Debian Importer	Fixing	VCID-5732-xnx7-tkfy	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:20.693994+00:00	Debian Importer	Fixing	VCID-xgr8-tpv5-q3b2	https://security-tracker.debian.org/tracker/data/json	38.1.0