Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat-coyote@9.0.0-M1 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-56jv-htmt-rkew
Aliases: CVE-2023-24998 GHSA-hfrx-6qgj-fp6c |
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-8myk-ac5b-huh8
Aliases: CVE-2024-34750 GHSA-wm9w-rjj3-j356 |
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-nmq2-8ysj-4fbc
Aliases: CVE-2022-42252 GHSA-p22x-g9px-3945 |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. |
Affected by 2 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-ran8-rnqn-tkbc
Aliases: CVE-2020-17527 GHSA-vvw4-rfwf-p6hx |
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. |
Affected by 6 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-vsdf-4tfj-uybe
Aliases: CVE-2024-24549 GHSA-7w75-32cg-r6g2 |
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-wgsc-dnn1-ukeq
Aliases: CVE-2020-13943 GHSA-f268-65qc-98vg |
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. |
Affected by 8 other vulnerabilities. Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-02T16:58:59.019471+00:00 | GHSA Importer | Affected by | VCID-56jv-htmt-rkew | https://github.com/advisories/GHSA-hfrx-6qgj-fp6c | 38.1.0 |
| 2026-04-01T16:05:57.328682+00:00 | GHSA Importer | Affected by | VCID-8myk-ac5b-huh8 | https://github.com/advisories/GHSA-wm9w-rjj3-j356 | 38.0.0 |
| 2026-04-01T16:04:49.811047+00:00 | GHSA Importer | Affected by | VCID-vsdf-4tfj-uybe | https://github.com/advisories/GHSA-7w75-32cg-r6g2 | 38.0.0 |
| 2026-04-01T16:03:55.923876+00:00 | GHSA Importer | Affected by | VCID-nmq2-8ysj-4fbc | https://github.com/advisories/GHSA-p22x-g9px-3945 | 38.0.0 |
| 2026-04-01T15:59:34.428857+00:00 | GHSA Importer | Affected by | VCID-wgsc-dnn1-ukeq | https://github.com/advisories/GHSA-f268-65qc-98vg | 38.0.0 |
| 2026-04-01T15:59:34.025493+00:00 | GHSA Importer | Affected by | VCID-ran8-rnqn-tkbc | https://github.com/advisories/GHSA-vvw4-rfwf-p6hx | 38.0.0 |