VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat-coyote@8.5.88

Search for packages

Vulnerability	Summary	Fixed by
VCID-5732-xnx7-tkfy Aliases: CVE-2023-34981 GHSA-mppv-79ch-vw6q	A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.	8.5.89 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-b3bb-9ajg-sfc9 Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.	8.5.96 Affected by 0 other vulnerabilities. 9.0.83 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 10.1.16 Affected by 0 other vulnerabilities. 11.0.1 Affected by 0 other vulnerabilities.
VCID-j6cj-ftyd-3ffa Aliases: CVE-2023-41080 GHSA-q3mw-pvr8-9ggc	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.	8.5.93 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.80 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 10.1.13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.0.1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-5732-xnx7-tkfy
Aliases:
CVE-2023-34981
GHSA-mppv-79ch-vw6q

A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.

8.5.89
Affected by 2 other vulnerabilities.

VCID-b3bb-9ajg-sfc9
Aliases:
CVE-2023-46589
GHSA-fccv-jmmp-qg76

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

8.5.96
Affected by 0 other vulnerabilities.

9.0.83
Affected by 1 other vulnerability.

10.1.16
Affected by 0 other vulnerabilities.

11.0.1
Affected by 0 other vulnerabilities.

VCID-j6cj-ftyd-3ffa
Aliases:
CVE-2023-41080
GHSA-q3mw-pvr8-9ggc

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may also be affected. The vulnerability is limited to the ROOT (default) web application.

8.5.93
Affected by 1 other vulnerability.

9.0.80
Affected by 1 other vulnerability.

10.1.13
Affected by 1 other vulnerability.

11.0.1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-56jv-htmt-rkew	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.	CVE-2023-24998 GHSA-hfrx-6qgj-fp6c
VCID-xgr8-tpv5-q3b2	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.	CVE-2023-28709 GHSA-cx6h-86xw-9x34

Vulnerability

Summary

Aliases

VCID-56jv-htmt-rkew

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

CVE-2023-24998
GHSA-hfrx-6qgj-fp6c

VCID-xgr8-tpv5-q3b2

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

CVE-2023-28709
GHSA-cx6h-86xw-9x34

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:44:14.469680+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	38.4.0
2026-04-16T22:36:52.962531+00:00	GitLab Importer	Affected by	VCID-j6cj-ftyd-3ffa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-41080.yml	38.4.0
2026-04-16T22:22:26.677764+00:00	GitLab Importer	Fixing	VCID-56jv-htmt-rkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-24998.yml	38.4.0
2026-04-12T00:03:51.613053+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	38.3.0
2026-04-11T23:56:10.710932+00:00	GitLab Importer	Affected by	VCID-j6cj-ftyd-3ffa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-41080.yml	38.3.0
2026-04-11T23:40:34.285724+00:00	GitLab Importer	Fixing	VCID-56jv-htmt-rkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-24998.yml	38.3.0
2026-04-03T00:08:32.147164+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	38.1.0
2026-04-02T23:59:15.426091+00:00	GitLab Importer	Affected by	VCID-j6cj-ftyd-3ffa	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-41080.yml	38.1.0
2026-04-02T23:44:37.317416+00:00	GitLab Importer	Fixing	VCID-56jv-htmt-rkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-24998.yml	38.1.0
2026-04-02T16:59:51.323530+00:00	GHSA Importer	Fixing	VCID-xgr8-tpv5-q3b2	https://github.com/advisories/GHSA-cx6h-86xw-9x34	38.1.0
2026-04-02T16:59:44.468883+00:00	GHSA Importer	Affected by	VCID-5732-xnx7-tkfy	https://github.com/advisories/GHSA-mppv-79ch-vw6q	38.1.0
2026-04-02T16:58:59.266786+00:00	GHSA Importer	Fixing	VCID-56jv-htmt-rkew	https://github.com/advisories/GHSA-hfrx-6qgj-fp6c	38.1.0
2026-04-01T12:59:16.380028+00:00	GithubOSV Importer	Affected by	VCID-5732-xnx7-tkfy	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/06/GHSA-mppv-79ch-vw6q/GHSA-mppv-79ch-vw6q.json	38.0.0
2026-04-01T12:58:59.263487+00:00	GithubOSV Importer	Fixing	VCID-xgr8-tpv5-q3b2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-cx6h-86xw-9x34/GHSA-cx6h-86xw-9x34.json	38.0.0
2026-04-01T12:58:21.934814+00:00	GithubOSV Importer	Fixing	VCID-56jv-htmt-rkew	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-hfrx-6qgj-fp6c/GHSA-hfrx-6qgj-fp6c.json	38.0.0
2026-04-01T12:50:55.316935+00:00	GitLab Importer	Fixing	VCID-56jv-htmt-rkew	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-24998.yml	38.0.0