VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat-coyote@10.0.0-M8

Search for packages

Vulnerability	Summary	Fixed by
VCID-s87f-pf8e-yqcz Aliases: CVE-2021-24122 GHSA-2rvv-w9r2-rg7m	When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.	10.0.0-M10 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-s87f-pf8e-yqcz
Aliases:
CVE-2021-24122
GHSA-2rvv-w9r2-rg7m

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

10.0.0-M10
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-zp3z-es2m-37e5	If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.	CVE-2020-13943 GHSA-f268-65qc-98vg

Vulnerability

Summary

Aliases

VCID-zp3z-es2m-37e5

If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

CVE-2020-13943
GHSA-f268-65qc-98vg

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-08-01T09:47:04.529538+00:00	GitLab Importer	Affected by	VCID-s87f-pf8e-yqcz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2021-24122.yml	37.0.0
2025-07-31T12:30:55.103249+00:00	GHSA Importer	Fixing	VCID-zp3z-es2m-37e5	https://github.com/advisories/GHSA-f268-65qc-98vg	37.0.0
2025-07-31T09:03:01.244026+00:00	GithubOSV Importer	Fixing	VCID-zp3z-es2m-37e5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-f268-65qc-98vg/GHSA-f268-65qc-98vg.json	37.0.0