VulnerableCode Package Details - pkg:maven/org.apache.tomcat/coyote@10.0.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-j8tk-s915-pbfy Aliases: CVE-2021-43980 GHSA-jx7c-7mj5-9438	The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.	There are no reported fixed by versions.
VCID-qkx6-32cj-jfbp Aliases: CVE-2022-29885 GHSA-r84p-88g2-2vx2	The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.	There are no reported fixed by versions.
VCID-wgsc-dnn1-ukeq Aliases: CVE-2020-13943 GHSA-f268-65qc-98vg	If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-j8tk-s915-pbfy
Aliases:
CVE-2021-43980
GHSA-jx7c-7mj5-9438

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

There are no reported fixed by versions.

VCID-qkx6-32cj-jfbp
Aliases:
CVE-2022-29885
GHSA-r84p-88g2-2vx2

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

There are no reported fixed by versions.

VCID-wgsc-dnn1-ukeq
Aliases:
CVE-2020-13943
GHSA-f268-65qc-98vg

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-03T21:27:55.710043+00:00	GitLab Importer	Affected by	VCID-j8tk-s915-pbfy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/coyote/CVE-2021-43980.yml	38.1.0
2026-04-02T12:37:34.315304+00:00	GitLab Importer	Affected by	VCID-wgsc-dnn1-ukeq	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/coyote/CVE-2020-13943.yml	38.0.0
2026-04-01T12:50:04.605670+00:00	GitLab Importer	Affected by	VCID-qkx6-32cj-jfbp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/coyote/CVE-2022-29885.yml	38.0.0