Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat@11.0.0-M3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8war-4v58-eub2
Aliases: CVE-2026-24734 GHSA-mgp5-rv84-w37q |
Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native: from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-56jv-htmt-rkew | Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. |
CVE-2023-24998
GHSA-hfrx-6qgj-fp6c |
| VCID-v7tp-1t4h-zqeg | When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Older, EOL versions may also be affected. |
CVE-2023-28708
GHSA-2c9m-w27f-53rm |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-17T00:18:04.825530+00:00 | GitLab Importer | Affected by | VCID-8war-4v58-eub2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2026-24734.yml | 38.4.0 |
| 2026-04-12T01:42:21.434079+00:00 | GitLab Importer | Affected by | VCID-8war-4v58-eub2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2026-24734.yml | 38.3.0 |
| 2026-04-03T01:51:14.355868+00:00 | GitLab Importer | Affected by | VCID-8war-4v58-eub2 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2026-24734.yml | 38.1.0 |
| 2026-04-01T12:38:04.655453+00:00 | Apache Tomcat Importer | Fixing | VCID-56jv-htmt-rkew | https://tomcat.apache.org/security-11.html | 38.0.0 |
| 2026-04-01T12:38:04.626326+00:00 | Apache Tomcat Importer | Fixing | VCID-v7tp-1t4h-zqeg | https://tomcat.apache.org/security-11.html | 38.0.0 |