VulnerableCode Package Details - pkg:deb/debian/tomcat10@10.1.34-0%2Bdeb12u1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3vdn-j7sj-dfdn	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	CVE-2024-38286 GHSA-7jqf-v358-p8g7
VCID-43j2-w5xt-43g9		CVE-2024-56337 GHSA-27hp-xhwr-wr2m
VCID-8mns-kw6c-a7dk	Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.	CVE-2024-52316 GHSA-xcpr-7mr4-h4xq
VCID-8myk-ac5b-huh8	Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.	CVE-2024-34750 GHSA-wm9w-rjj3-j356
VCID-gvhy-d4gm-57d3		CVE-2024-54677 GHSA-653p-vg55-5652
VCID-v8ku-sjc8-wfga		CVE-2024-50379 GHSA-5j33-cvvr-w245

Vulnerability

Summary

Aliases

VCID-3vdn-j7sj-dfdn

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVE-2024-38286
GHSA-7jqf-v358-p8g7

VCID-43j2-w5xt-43g9

CVE-2024-56337
GHSA-27hp-xhwr-wr2m

VCID-8mns-kw6c-a7dk

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

CVE-2024-52316
GHSA-xcpr-7mr4-h4xq

VCID-8myk-ac5b-huh8

Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.

CVE-2024-34750
GHSA-wm9w-rjj3-j356

VCID-gvhy-d4gm-57d3

CVE-2024-54677
GHSA-653p-vg55-5652

VCID-v8ku-sjc8-wfga

CVE-2024-50379
GHSA-5j33-cvvr-w245

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:43:38.212884+00:00	Debian Importer	Fixing	VCID-gvhy-d4gm-57d3	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:04:58.965250+00:00	Debian Importer	Fixing	VCID-v8ku-sjc8-wfga	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:41:50.296823+00:00	Debian Importer	Fixing	VCID-8myk-ac5b-huh8	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:41:36.942075+00:00	Debian Importer	Fixing	VCID-3vdn-j7sj-dfdn	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:54:29.974463+00:00	Debian Importer	Fixing	VCID-8mns-kw6c-a7dk	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:41:10.009412+00:00	Debian Importer	Fixing	VCID-43j2-w5xt-43g9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:35:27.608351+00:00	Debian Importer	Fixing	VCID-3vdn-j7sj-dfdn	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:15:14.784771+00:00	Debian Importer	Fixing	VCID-gvhy-d4gm-57d3	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:45:59.503635+00:00	Debian Importer	Fixing	VCID-v8ku-sjc8-wfga	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:29:57.359673+00:00	Debian Importer	Fixing	VCID-8mns-kw6c-a7dk	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:27:00.107212+00:00	Debian Importer	Fixing	VCID-8myk-ac5b-huh8	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:11:09.983548+00:00	Debian Importer	Fixing	VCID-43j2-w5xt-43g9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:55:21.562350+00:00	Debian Importer	Fixing	VCID-43j2-w5xt-43g9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:21.515504+00:00	Debian Importer	Fixing	VCID-gvhy-d4gm-57d3	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:21.365136+00:00	Debian Importer	Fixing	VCID-8mns-kw6c-a7dk	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:21.316924+00:00	Debian Importer	Fixing	VCID-v8ku-sjc8-wfga	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:21.270459+00:00	Debian Importer	Fixing	VCID-3vdn-j7sj-dfdn	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:21.222532+00:00	Debian Importer	Fixing	VCID-8myk-ac5b-huh8	https://security-tracker.debian.org/tracker/data/json	38.1.0