VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat-coyote@8.5.94

Search for packages

Vulnerability	Summary	Fixed by
VCID-7uaw-6w3w-aaar Aliases: CVE-2024-24549 GHSA-7w75-32cg-r6g2	Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.	8.5.99 Affected by 0 other vulnerabilities. 9.0.86 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.19 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M17 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-pcvp-wv2z-aaas Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.	8.5.96 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.83 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.16 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-7uaw-6w3w-aaar
Aliases:
CVE-2024-24549
GHSA-7w75-32cg-r6g2

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.

8.5.99
Affected by 0 other vulnerabilities.

9.0.86
Affected by 2 other vulnerabilities.

10.1.19
Affected by 2 other vulnerabilities.

11.0.0-M17
Affected by 2 other vulnerabilities.

VCID-pcvp-wv2z-aaas
Aliases:
CVE-2023-46589
GHSA-fccv-jmmp-qg76

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

8.5.96
Affected by 1 other vulnerability.

9.0.83
Affected by 3 other vulnerabilities.

10.1.16
Affected by 3 other vulnerabilities.

11.0.1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-6y3x-kyj7-aaaf	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.	CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013
VCID-aznr-24qt-aaaa	Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.	CVE-2023-42794 GHSA-jm7m-8jh6-29hp

Vulnerability

Summary

Aliases

VCID-6y3x-kyj7-aaaf

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

CVE-2023-44487
GHSA-qppj-fm5r-hxr3
VSV00013

VCID-aznr-24qt-aaaa

Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

CVE-2023-42794
GHSA-jm7m-8jh6-29hp

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-20T16:48:39.668527+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	36.1.3
2025-06-09T22:37:45.505974+00:00	GHSA Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/advisories/GHSA-qppj-fm5r-hxr3	36.1.0
2025-06-09T20:18:33.559617+00:00	GithubOSV Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json	36.1.0
2025-06-03T23:26:15.100326+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	36.1.0
2025-06-02T23:23:49.929294+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	36.1.2
2025-04-04T11:33:28.509597+00:00	GithubOSV Importer	Fixing	VCID-aznr-24qt-aaaa	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-jm7m-8jh6-29hp/GHSA-jm7m-8jh6-29hp.json	36.0.0
2025-04-04T11:33:09.236751+00:00	GithubOSV Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json	36.0.0
2025-04-03T21:46:40.165957+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	36.0.0
2025-03-29T10:49:39.964746+00:00	GHSA Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/advisories/GHSA-qppj-fm5r-hxr3	36.0.0
2025-03-29T10:49:32.068248+00:00	GHSA Importer	Fixing	VCID-aznr-24qt-aaaa	https://github.com/advisories/GHSA-jm7m-8jh6-29hp	36.0.0
2025-02-18T01:05:26.546341+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	35.1.0
2025-01-16T20:08:58.691506+00:00	GithubOSV Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json	35.1.0
2024-12-23T15:31:08.029775+00:00	GHSA Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/advisories/GHSA-qppj-fm5r-hxr3	35.0.0
2024-11-20T23:30:39.625645+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	35.0.0
2024-11-18T23:19:31.915656+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	34.3.2
2024-10-15T19:17:15.205599+00:00	GithubOSV Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json	34.0.2
2024-10-08T00:16:55.818333+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	34.0.2
2024-10-07T22:05:12.995919+00:00	GHSA Importer	Affected by	VCID-7uaw-6w3w-aaar	https://github.com/advisories/GHSA-7w75-32cg-r6g2	34.0.2
2024-10-07T21:44:44.190671+00:00	GHSA Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/advisories/GHSA-qppj-fm5r-hxr3	34.0.2
2024-09-23T00:30:57.114973+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	34.0.1
2024-09-22T22:27:08.966634+00:00	GHSA Importer	Affected by	VCID-7uaw-6w3w-aaar	https://github.com/advisories/GHSA-7w75-32cg-r6g2	34.0.1
2024-09-18T09:22:18.410190+00:00	GithubOSV Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json	34.0.1
2024-09-17T21:59:47.200480+00:00	GHSA Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/advisories/GHSA-qppj-fm5r-hxr3	34.0.1
2024-08-07T21:25:41.609794+00:00	GHSA Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/advisories/GHSA-qppj-fm5r-hxr3	34.0.0rc4
2024-08-07T20:53:48.575823+00:00	GithubOSV Importer	Fixing	VCID-6y3x-kyj7-aaaf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json	34.0.0rc4
2024-05-17T21:14:36.668028+00:00	GHSA Importer	Affected by	VCID-7uaw-6w3w-aaar	https://github.com/advisories/GHSA-7w75-32cg-r6g2	34.0.0rc4
2024-04-24T02:41:53.663252+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	34.0.0rc4
2024-01-10T05:17:12.290856+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	34.0.0rc2
2024-01-03T22:05:02.802417+00:00	GitLab Importer	Affected by	VCID-pcvp-wv2z-aaas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2023-46589.yml	34.0.0rc1