VulnerableCode Package Details - pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@11.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-fpgj-82wf-ykbw Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf	Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.	11.0.9 Affected by 0 other vulnerabilities.
VCID-xgr8-tpv5-q3b2 Aliases: CVE-2023-28709 GHSA-cx6h-86xw-9x34	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.	11.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-fpgj-82wf-ykbw
Aliases:
CVE-2025-53506
GHSA-25xr-qj8w-c4vf

Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue.

11.0.9
Affected by 0 other vulnerabilities.

VCID-xgr8-tpv5-q3b2
Aliases:
CVE-2023-28709
GHSA-cx6h-86xw-9x34

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

11.0.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-9qgr-t27j-y7d3	Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.	CVE-2024-52317 GHSA-qvf5-hvjx-wm27
VCID-v7tp-1t4h-zqeg	When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.	CVE-2023-28708 GHSA-2c9m-w27f-53rm

Vulnerability

Summary

Aliases

VCID-9qgr-t27j-y7d3

Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.

CVE-2024-52317
GHSA-qvf5-hvjx-wm27

VCID-v7tp-1t4h-zqeg

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected.

CVE-2023-28708
GHSA-2c9m-w27f-53rm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:33:01.446381+00:00	GitLab Importer	Affected by	VCID-fpgj-82wf-ykbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-53506.yml	38.4.0
2026-04-16T23:14:58.631669+00:00	GitLab Importer	Fixing	VCID-9qgr-t27j-y7d3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2024-52317.yml	38.4.0
2026-04-16T22:29:46.518864+00:00	GitLab Importer	Affected by	VCID-xgr8-tpv5-q3b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28709.yml	38.4.0
2026-04-16T22:24:26.382367+00:00	GitLab Importer	Fixing	VCID-v7tp-1t4h-zqeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28708.yml	38.4.0
2026-04-12T00:52:59.940512+00:00	GitLab Importer	Affected by	VCID-fpgj-82wf-ykbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-53506.yml	38.3.0
2026-04-12T00:33:34.052676+00:00	GitLab Importer	Fixing	VCID-9qgr-t27j-y7d3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2024-52317.yml	38.3.0
2026-04-11T23:48:22.397601+00:00	GitLab Importer	Affected by	VCID-xgr8-tpv5-q3b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28709.yml	38.3.0
2026-04-11T23:42:37.114192+00:00	GitLab Importer	Fixing	VCID-v7tp-1t4h-zqeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28708.yml	38.3.0
2026-04-07T04:56:28.217857+00:00	GHSA Importer	Fixing	VCID-9qgr-t27j-y7d3	https://github.com/advisories/GHSA-qvf5-hvjx-wm27	38.1.0
2026-04-03T01:01:09.297018+00:00	GitLab Importer	Affected by	VCID-fpgj-82wf-ykbw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-53506.yml	38.1.0
2026-04-03T00:41:16.948498+00:00	GitLab Importer	Fixing	VCID-9qgr-t27j-y7d3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2024-52317.yml	38.1.0
2026-04-02T23:51:45.073639+00:00	GitLab Importer	Affected by	VCID-xgr8-tpv5-q3b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28709.yml	38.1.0
2026-04-02T23:46:31.085983+00:00	GitLab Importer	Fixing	VCID-v7tp-1t4h-zqeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28708.yml	38.1.0
2026-04-02T12:40:26.263519+00:00	GitLab Importer	Fixing	VCID-9qgr-t27j-y7d3	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2024-52317.yml	38.0.0
2026-04-01T12:51:18.630009+00:00	GitLab Importer	Affected by	VCID-xgr8-tpv5-q3b2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28709.yml	38.0.0
2026-04-01T12:51:10.776622+00:00	GithubOSV Importer	Fixing	VCID-9qgr-t27j-y7d3	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-qvf5-hvjx-wm27/GHSA-qvf5-hvjx-wm27.json	38.0.0
2026-04-01T12:51:01.712096+00:00	GitLab Importer	Fixing	VCID-v7tp-1t4h-zqeg	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28708.yml	38.0.0