VulnerableCode Package Details - pkg:apache/tomcat@11.0.0-M3

Search for packages

Vulnerability	Summary	Fixed by
VCID-2yb1-zq4x-aaad Aliases: CVE-2023-28709 GHSA-cx6h-86xw-9x34	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.	11.0.0-M5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.
VCID-ma76-864y-aaaf Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-2yb1-zq4x-aaad
Aliases:
CVE-2023-28709
GHSA-cx6h-86xw-9x34

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

11.0.0-M5
Affected by 2 other vulnerabilities.

VCID-ah95-hj74-aaaq
Aliases:
CVE-2017-12617
GHSA-xjgh-84hx-56c5

Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

There are no reported fixed by versions.

VCID-ma76-864y-aaaf
Aliases:
CVE-2005-4836
GHSA-qrcx-p4rr-g48h

The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
VCID-2c6h-srga-aaap	Apache Commons FileUpload denial of service vulnerability	CVE-2023-24998 GHSA-hfrx-6qgj-fp6c
VCID-7sta-sz5f-aaap	Apache Tomcat vulnerable to Unprotected Transport of Credentials	CVE-2023-28708 GHSA-2c9m-w27f-53rm

Vulnerability

Summary

Aliases

VCID-2c6h-srga-aaap

Apache Commons FileUpload denial of service vulnerability

CVE-2023-24998
GHSA-hfrx-6qgj-fp6c

VCID-7sta-sz5f-aaap

Apache Tomcat vulnerable to Unprotected Transport of Credentials

CVE-2023-28708
GHSA-2c9m-w27f-53rm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T13:19:13.304789+00:00	Apache Tomcat Importer	Fixing	VCID-2c6h-srga-aaap	https://tomcat.apache.org/security-11.html	36.0.0
2025-03-28T13:19:13.258906+00:00	Apache Tomcat Importer	Fixing	VCID-7sta-sz5f-aaap	https://tomcat.apache.org/security-11.html	36.0.0
2024-09-18T08:17:24.688864+00:00	Apache Tomcat Importer	Fixing	VCID-2c6h-srga-aaap	https://tomcat.apache.org/security-11.html	34.0.1
2024-09-18T08:17:24.625610+00:00	Apache Tomcat Importer	Fixing	VCID-7sta-sz5f-aaap	https://tomcat.apache.org/security-11.html	34.0.1
2024-01-04T02:15:29.821979+00:00	Apache Tomcat Importer	Fixing	VCID-2c6h-srga-aaap	https://tomcat.apache.org/security-11.html	34.0.0rc1
2024-01-04T02:15:29.775934+00:00	Apache Tomcat Importer	Fixing	VCID-7sta-sz5f-aaap	https://tomcat.apache.org/security-11.html	34.0.0rc1