Search for packages
Package details: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.79
purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.79
Next non-vulnerable version 8.5.99
Latest non-vulnerable version 11.0.10
Risk 10.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-4bq7-1e1e-d7c3
Aliases:
CVE-2024-24549
GHSA-7w75-32cg-r6g2
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
8.5.99
Affected by 0 other vulnerabilities.
9.0.86
Affected by 3 other vulnerabilities.
10.1.19
Affected by 3 other vulnerabilities.
11.0.0-M17
Affected by 4 other vulnerabilities.
VCID-7nj6-9exh-5qgr
Aliases:
CVE-2022-42252
GHSA-p22x-g9px-3945
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
8.5.83
Affected by 5 other vulnerabilities.
9.0.68
Affected by 6 other vulnerabilities.
10.0.27
Affected by 2 other vulnerabilities.
10.1.1
Affected by 6 other vulnerabilities.
VCID-jubv-tebw-3fgb
Aliases:
CVE-2022-34305
GHSA-6j88-6whg-x687
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
8.5.82
Affected by 5 other vulnerabilities.
9.0.65
Affected by 7 other vulnerabilities.
10.0.23
Affected by 3 other vulnerabilities.
VCID-kdkb-2vcc-7ka1
Aliases:
CVE-2023-28708
GHSA-2c9m-w27f-53rm
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
8.5.86
Affected by 5 other vulnerabilities.
9.0.72
Affected by 6 other vulnerabilities.
10.1.6
Affected by 5 other vulnerabilities.
11.0.0
Affected by 5 other vulnerabilities.
VCID-r5jp-6b4w-rffw
Aliases:
CVE-2023-41080
GHSA-q3mw-pvr8-9ggc
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.
8.5.93
Affected by 3 other vulnerabilities.
9.0.80
Affected by 6 other vulnerabilities.
10.1.13
Affected by 5 other vulnerabilities.
11.0.0-M11
Affected by 6 other vulnerabilities.
11.0.1
Affected by 3 other vulnerabilities.
VCID-w5uu-nj7c-wka6
Aliases:
CVE-2023-44487
GHSA-qppj-fm5r-hxr3
VSV00013
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
8.5.94
Affected by 1 other vulnerability.
9.0.81
Affected by 4 other vulnerabilities.
10.1.14
Affected by 4 other vulnerabilities.
11.0.0-M12
Affected by 5 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-ghc6-gmwn-wyg2 The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. CVE-2022-29885
GHSA-r84p-88g2-2vx2

Date Actor Action Vulnerability Source VulnerableCode Version
2025-08-01T11:37:56.997343+00:00 GitLab Importer Affected by VCID-4bq7-1e1e-d7c3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2024-24549.yml 37.0.0
2025-08-01T11:18:30.793820+00:00 GitLab Importer Affected by VCID-r5jp-6b4w-rffw https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-41080.yml 37.0.0
2025-08-01T11:03:56.726164+00:00 GitLab Importer Affected by VCID-kdkb-2vcc-7ka1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28708.yml 37.0.0
2025-08-01T10:52:44.990305+00:00 GitLab Importer Affected by VCID-7nj6-9exh-5qgr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2022-42252.yml 37.0.0
2025-08-01T10:41:06.251416+00:00 GitLab Importer Affected by VCID-jubv-tebw-3fgb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2022-34305.yml 37.0.0
2025-08-01T09:30:58.984544+00:00 GHSA Importer Affected by VCID-w5uu-nj7c-wka6 https://github.com/advisories/GHSA-qppj-fm5r-hxr3 37.0.0
2025-07-31T09:27:01.596597+00:00 GitLab Importer Fixing VCID-ghc6-gmwn-wyg2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2022-29885.yml 37.0.0