VulnerableCode Package Details - pkg:deb/debian/tomcat9@9.0.43-2~deb11u11?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3vdn-j7sj-dfdn	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	CVE-2024-38286 GHSA-7jqf-v358-p8g7
VCID-43j2-w5xt-43g9		CVE-2024-56337 GHSA-27hp-xhwr-wr2m
VCID-8mns-kw6c-a7dk	Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.	CVE-2024-52316 GHSA-xcpr-7mr4-h4xq
VCID-k9cg-ehdw-dbh6	Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.	CVE-2024-21733 GHSA-f4qf-m5gf-8jm8
VCID-v8ku-sjc8-wfga		CVE-2024-50379 GHSA-5j33-cvvr-w245

Vulnerability

Summary

Aliases

VCID-3vdn-j7sj-dfdn

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

CVE-2024-38286
GHSA-7jqf-v358-p8g7

VCID-43j2-w5xt-43g9

CVE-2024-56337
GHSA-27hp-xhwr-wr2m

VCID-8mns-kw6c-a7dk

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

CVE-2024-52316
GHSA-xcpr-7mr4-h4xq

VCID-k9cg-ehdw-dbh6

Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.

CVE-2024-21733
GHSA-f4qf-m5gf-8jm8

VCID-v8ku-sjc8-wfga

CVE-2024-50379
GHSA-5j33-cvvr-w245

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:29:30.100292+00:00	Debian Importer	Fixing	VCID-k9cg-ehdw-dbh6	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:49:38.135401+00:00	Debian Importer	Fixing	VCID-43j2-w5xt-43g9	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:35:51.236395+00:00	Debian Importer	Fixing	VCID-3vdn-j7sj-dfdn	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T10:12:29.350165+00:00	Debian Importer	Fixing	VCID-v8ku-sjc8-wfga	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:17:16.741440+00:00	Debian Importer	Fixing	VCID-8mns-kw6c-a7dk	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:33:08.709127+00:00	Debian Importer	Fixing	VCID-k9cg-ehdw-dbh6	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T08:04:15.113277+00:00	Debian Importer	Fixing	VCID-43j2-w5xt-43g9	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:09:39.223486+00:00	Debian Importer	Fixing	VCID-3vdn-j7sj-dfdn	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:51:45.858073+00:00	Debian Importer	Fixing	VCID-v8ku-sjc8-wfga	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:12:22.762804+00:00	Debian Importer	Fixing	VCID-8mns-kw6c-a7dk	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:55:26.299653+00:00	Debian Importer	Fixing	VCID-43j2-w5xt-43g9	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:26.135776+00:00	Debian Importer	Fixing	VCID-8mns-kw6c-a7dk	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:26.095522+00:00	Debian Importer	Fixing	VCID-v8ku-sjc8-wfga	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:26.055046+00:00	Debian Importer	Fixing	VCID-3vdn-j7sj-dfdn	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:25.864240+00:00	Debian Importer	Fixing	VCID-k9cg-ehdw-dbh6	https://security-tracker.debian.org/tracker/data/json	38.1.0