Search for packages
| purl | pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18q4-zark-s7a7
Aliases: CVE-2016-6794 GHSA-2rvf-329f-p99g |
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. |
Affected by 28 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-1hdb-24e3-f3d6
Aliases: CVE-2017-5651 GHSA-9hg2-395j-83rm |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. |
Affected by 24 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-246u-a4rh-yyd4
Aliases: CVE-2025-49125 GHSA-wc4r-xq3c-5cf3 |
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-2sbh-sy57-3uez
Aliases: CVE-2018-1304 GHSA-6rxj-58jh-436r |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-2zq1-na8s-mfdd
Aliases: CVE-2025-31650 GHSA-3p2h-wqq4-wf4h |
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-39e3-jfbg-s3hk
Aliases: CVE-2019-10072 GHSA-q4hg-rmq2-52q9 |
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. |
Affected by 21 other vulnerabilities. Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-46bv-6b7y-3bca
Aliases: CVE-2020-11996 GHSA-53hp-jpwq-2jgq |
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. |
Affected by 17 other vulnerabilities. Affected by 15 other vulnerabilities. |
|
VCID-4cag-c4pb-dfaz
Aliases: CVE-2025-61795 GHSA-hgrr-935x-pq79 |
Improper Resource Shutdown or Release vulnerability in Apache Tomcat. If an error occurred (including exceeding limits) during the processing of a multipart upload, temporary copies of the uploaded parts written to disc were not cleaned up immediately but left for the garbage collection process to delete. Depending on JVM settings, application memory usage and application load, it was possible that space for the temporary copies of uploaded parts would be filled faster than GC cleared it, leading to a DoS. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.11, from 10.1.0-M1 through 10.1.46, from 9.0.0.M1 through 9.0.109. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.12 or later, 10.1.47 or later or 9.0.110 or later which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-4tf3-7f5b-2ffu
Aliases: CVE-2017-7675 GHSA-68g5-8q7f-m384 |
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-5781-s1ny-q7ey
Aliases: CVE-2023-44487 GHSA-2m7v-gc89-fjqf GHSA-qppj-fm5r-hxr3 GHSA-vx74-f528-fxqg GHSA-xpw8-rcwv-8f8p GMS-2023-3377 VSV00013 |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
|
VCID-5etb-njwf-rfdu
Aliases: GHSA-r53m-pfr5-7v87 |
Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core **Withdrawn:** Duplicate of GHSA-qcxh-w3j9-58qr |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-5sgv-7nsz-5fa8
Aliases: CVE-2025-24813 GHSA-83qj-6fr2-vhqg |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-66kh-s6cr-tqf9
Aliases: CVE-2020-9484 GHSA-344f-f5vg-2jfj |
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. |
Affected by 18 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-8myk-ac5b-huh8
Aliases: CVE-2024-34750 GHSA-wm9w-rjj3-j356 |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-a8gk-n8bq-87cp
Aliases: CVE-2021-24122 GHSA-2rvv-w9r2-rg7m |
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. |
Affected by 16 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-aeeu-fpay-wufz
Aliases: CVE-2018-1336 GHSA-m59c-jpc8-m2x4 |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. |
Affected by 22 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-ayrd-8ntf-hkh3
Aliases: CVE-2022-25762 GHSA-h3ch-5pp2-vh6w |
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. |
Affected by 8 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-b3bb-9ajg-sfc9
Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76 |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11Â onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-dy6m-zt6r-9ubd
Aliases: CVE-2021-41079 GHSA-59g9-7gfx-c72p |
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. |
Affected by 11 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-dzpn-w4b3-vbcm
Aliases: CVE-2019-17563 GHSA-9xcj-c8cr-8c3c |
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. |
Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-f77q-v5xp-e7dy
Aliases: CVE-2018-11784 GHSA-5q99-f34m-67gc |
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-fpgj-82wf-ykbw
Aliases: CVE-2025-53506 GHSA-25xr-qj8w-c4vf |
Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-fyfz-6tr5-2fc7
Aliases: CVE-2017-5664 GHSA-jmvv-524f-hj5j |
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. |
Affected by 23 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-g7bk-891a-uufy
Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5 |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-gb2v-96xj-ybad
Aliases: CVE-2025-48988 GHSA-h3gc-qfqq-6h8f |
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-hmbm-5ysw-77bu
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. |
Affected by 27 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-hves-r5bg-yfes
Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq |
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. |
Affected by 27 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-j6cj-ftyd-3ffa
Aliases: CVE-2023-41080 GHSA-q3mw-pvr8-9ggc |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-j8tk-s915-pbfy
Aliases: CVE-2021-43980 GHSA-jx7c-7mj5-9438 |
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. |
Affected by 7 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-k59r-wjt3-wqe5
Aliases: CVE-2025-52520 GHSA-wr62-c79q-cv37 |
For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-kukv-k3z7-7fgs
Aliases: CVE-2025-31651 GHSA-ff77-26x5-69cr |
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-kwab-3s4q-eka4
Aliases: CVE-2021-30640 GHSA-36qh-35cm-5w2w |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. |
Affected by 10 other vulnerabilities. Affected by 10 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-m2zn-ja8d-7kg8
Aliases: CVE-2018-8034 GHSA-46j3-r4pj-4835 |
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-n3ab-nk7c-hqc9
Aliases: CVE-2021-25329 GHSA-jgwr-3qm3-26f3 |
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. |
Affected by 14 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-n3zn-tuck-gkfe
Aliases: CVE-2018-8014 GHSA-r4x2-3cq5-hqvp |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. |
Affected by 22 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-n9yk-e49f-n7e7
Aliases: CVE-2023-42795 GHSA-g8pj-r55q-5c2v |
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-nmq2-8ysj-4fbc
Aliases: CVE-2022-42252 GHSA-p22x-g9px-3945 |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 5 other vulnerabilities. |
|
VCID-ruuh-g3fa-m7d8
Aliases: CVE-2019-12418 GHSA-hh3j-x4mc-g48r |
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. |
Affected by 21 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-rzj2-4kcj-43dq
Aliases: CVE-2023-45648 GHSA-r6j3-px5g-cq3x |
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-sr8e-w1qk-r7fz
Aliases: CVE-2025-46701 GHSA-h2fw-rfh5-95r3 |
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-t2ne-75ck-eqcr
Aliases: CVE-2021-25122 GHSA-j39c-c8hj-x4j3 |
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. |
Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-u3ck-cvgt-fuhd
Aliases: CVE-2017-5650 GHSA-9785-w233-x6hv |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. |
Affected by 24 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-v7tp-1t4h-zqeg
Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-v8ku-sjc8-wfga
Aliases: CVE-2024-50379 GHSA-5j33-cvvr-w245 |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
|
VCID-vdnj-sqmx-e3ep
Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5 |
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-vsdf-4tfj-uybe
Aliases: CVE-2024-24549 GHSA-7w75-32cg-r6g2 |
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-yfx4-4gsc-2kgh
Aliases: CVE-2020-1935 GHSA-qxf4-chvg-4r8r |
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. |
Affected by 19 other vulnerabilities. Affected by 18 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||