VulnerableCode Package Details - pkg:apache/tomcat@11.0.0-M11

Search for packages

Vulnerability	Summary	Fixed by
VCID-6y3x-kyj7-aaaf Aliases: CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.	11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-7sta-sz5f-aaap Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm	Apache Tomcat vulnerable to Unprotected Transport of Credentials	11.0.0-M3 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.
VCID-f68z-z5n7-aaae Aliases: CVE-2023-42795 GHSA-g8pj-r55q-5c2v	Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.	11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ma76-864y-aaaf Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.	There are no reported fixed by versions.
VCID-r78u-gre6-aaaj Aliases: CVE-2023-45648 GHSA-r6j3-px5g-cq3x	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.	11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6y3x-kyj7-aaaf
Aliases:
CVE-2023-44487
GHSA-qppj-fm5r-hxr3
VSV00013

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

11.0.0-M12
Affected by 3 other vulnerabilities.

VCID-7sta-sz5f-aaap
Aliases:
CVE-2023-28708
GHSA-2c9m-w27f-53rm

Apache Tomcat vulnerable to Unprotected Transport of Credentials

11.0.0-M3
Affected by 3 other vulnerabilities.

VCID-ah95-hj74-aaaq
Aliases:
CVE-2017-12617
GHSA-xjgh-84hx-56c5

Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

There are no reported fixed by versions.

VCID-f68z-z5n7-aaae
Aliases:
CVE-2023-42795
GHSA-g8pj-r55q-5c2v

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

11.0.0-M12
Affected by 3 other vulnerabilities.

VCID-ma76-864y-aaaf
Aliases:
CVE-2005-4836
GHSA-qrcx-p4rr-g48h

The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.

There are no reported fixed by versions.

VCID-r78u-gre6-aaaj
Aliases:
CVE-2023-45648
GHSA-r6j3-px5g-cq3x

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

11.0.0-M12
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-e318-2aad-aaag	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.	CVE-2023-41080 GHSA-q3mw-pvr8-9ggc
VCID-pcvp-wv2z-aaas	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.	CVE-2023-46589 GHSA-fccv-jmmp-qg76

Vulnerability

Summary

Aliases

VCID-e318-2aad-aaag

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.

CVE-2023-41080
GHSA-q3mw-pvr8-9ggc

VCID-pcvp-wv2z-aaas

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

CVE-2023-46589
GHSA-fccv-jmmp-qg76

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T13:19:13.090945+00:00	Apache Tomcat Importer	Fixing	VCID-pcvp-wv2z-aaas	https://tomcat.apache.org/security-11.html	36.0.0
2025-03-28T13:19:13.033115+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-11.html	36.0.0
2025-03-28T13:19:12.971119+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-11.html	36.0.0
2025-03-28T13:19:12.914214+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-11.html	36.0.0
2025-03-28T13:19:12.855235+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-11.html	36.0.0
2024-09-18T08:17:24.453443+00:00	Apache Tomcat Importer	Fixing	VCID-pcvp-wv2z-aaas	https://tomcat.apache.org/security-11.html	34.0.1
2024-09-18T08:17:24.400153+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-11.html	34.0.1
2024-09-18T08:17:24.344635+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-11.html	34.0.1
2024-09-18T08:17:24.289758+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-11.html	34.0.1
2024-09-18T08:17:24.190200+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-11.html	34.0.1
2024-01-04T02:15:29.619309+00:00	Apache Tomcat Importer	Fixing	VCID-pcvp-wv2z-aaas	https://tomcat.apache.org/security-11.html	34.0.0rc1
2024-01-04T02:15:29.571200+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-11.html	34.0.0rc1
2024-01-04T02:15:29.517913+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-11.html	34.0.0rc1
2024-01-04T02:15:29.467523+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-11.html	34.0.0rc1
2024-01-04T02:15:29.416774+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-11.html	34.0.0rc1