VulnerableCode Package Details - pkg:ebuild/www-servers/tomcat@8.5.88

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-56jv-htmt-rkew	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.	CVE-2023-24998 GHSA-hfrx-6qgj-fp6c
VCID-nmq2-8ysj-4fbc	If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.	CVE-2022-42252 GHSA-p22x-g9px-3945
VCID-stds-vw5z-auhp	The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.	CVE-2022-45143 GHSA-rq2w-37h9-vg94
VCID-xgr8-tpv5-q3b2	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.	CVE-2023-28709 GHSA-cx6h-86xw-9x34

Vulnerability

Summary

Aliases

VCID-56jv-htmt-rkew

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

CVE-2023-24998
GHSA-hfrx-6qgj-fp6c

VCID-nmq2-8ysj-4fbc

If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

CVE-2022-42252
GHSA-p22x-g9px-3945

VCID-stds-vw5z-auhp

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CVE-2022-45143
GHSA-rq2w-37h9-vg94

VCID-xgr8-tpv5-q3b2

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

CVE-2023-28709
GHSA-cx6h-86xw-9x34

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:58:45.377893+00:00	Gentoo Importer	Fixing	VCID-xgr8-tpv5-q3b2	https://security.gentoo.org/glsa/202305-37	38.0.0
2026-04-01T12:58:45.362816+00:00	Gentoo Importer	Fixing	VCID-56jv-htmt-rkew	https://security.gentoo.org/glsa/202305-37	38.0.0
2026-04-01T12:58:45.348571+00:00	Gentoo Importer	Fixing	VCID-stds-vw5z-auhp	https://security.gentoo.org/glsa/202305-37	38.0.0
2026-04-01T12:58:45.333007+00:00	Gentoo Importer	Fixing	VCID-nmq2-8ysj-4fbc	https://security.gentoo.org/glsa/202305-37	38.0.0