VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat@8.5.84

Search for packages

Vulnerability	Summary	Fixed by
VCID-56jv-htmt-rkew Aliases: CVE-2023-24998 GHSA-hfrx-6qgj-fp6c	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.	8.5.85 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.71 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.5 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M3 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-b3bb-9ajg-sfc9 Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.	8.5.96 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.83 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.16 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-g7bk-891a-uufy Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5	Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.	9.0.5 Affected by 24 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-56jv-htmt-rkew
Aliases:
CVE-2023-24998
GHSA-hfrx-6qgj-fp6c

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

8.5.85
Affected by 5 other vulnerabilities.

9.0.71
Affected by 4 other vulnerabilities.

10.1.5
Affected by 4 other vulnerabilities.

11.0.0-M3
Affected by 1 other vulnerability.

VCID-b3bb-9ajg-sfc9
Aliases:
CVE-2023-46589
GHSA-fccv-jmmp-qg76

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

8.5.96
Affected by 1 other vulnerability.

9.0.83
Affected by 2 other vulnerabilities.

10.1.16
Affected by 1 other vulnerability.

11.0.0-M11
Affected by 4 other vulnerabilities.

11.0.1
Affected by 4 other vulnerabilities.

VCID-g7bk-891a-uufy
Aliases:
CVE-2018-1305
GHSA-jx6h-3fjx-cgv5

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

9.0.5
Affected by 24 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-stds-vw5z-auhp	The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.	CVE-2022-45143 GHSA-rq2w-37h9-vg94

Vulnerability

Summary

Aliases

VCID-stds-vw5z-auhp

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

CVE-2022-45143
GHSA-rq2w-37h9-vg94

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:44:12.388486+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml	38.4.0
2026-04-16T22:18:56.781536+00:00	GitLab Importer	Fixing	VCID-stds-vw5z-auhp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-45143.yml	38.4.0
2026-04-16T20:41:45.709902+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.4.0
2026-04-12T00:03:49.331899+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml	38.3.0
2026-04-11T23:36:40.984565+00:00	GitLab Importer	Fixing	VCID-stds-vw5z-auhp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-45143.yml	38.3.0
2026-04-11T21:52:21.613652+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.3.0
2026-04-03T00:08:29.977902+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml	38.1.0
2026-04-02T23:41:09.505477+00:00	GitLab Importer	Fixing	VCID-stds-vw5z-auhp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-45143.yml	38.1.0
2026-04-02T22:06:08.475331+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.1.0
2026-04-01T18:03:44.895443+00:00	GitLab Importer	Fixing	VCID-stds-vw5z-auhp	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2022-45143.yml	38.0.0
2026-04-01T16:23:07.192921+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.0.0
2026-04-01T12:38:10.306486+00:00	Apache Tomcat Importer	Fixing	VCID-stds-vw5z-auhp	https://tomcat.apache.org/security-8.html	38.0.0
2026-04-01T12:38:10.277511+00:00	Apache Tomcat Importer	Affected by	VCID-56jv-htmt-rkew	https://tomcat.apache.org/security-8.html	38.0.0