VulnerableCode Package Details - pkg:apache/tomcat@10.1.13

Search for packages

Vulnerability	Summary	Fixed by
VCID-6y3x-kyj7-aaaf Aliases: CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.	10.1.14 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.
VCID-f68z-z5n7-aaae Aliases: CVE-2023-42795 GHSA-g8pj-r55q-5c2v	Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.	10.1.14 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ma76-864y-aaaf Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.	There are no reported fixed by versions.
VCID-r78u-gre6-aaaj Aliases: CVE-2023-45648 GHSA-r6j3-px5g-cq3x	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.	10.1.14 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6y3x-kyj7-aaaf
Aliases:
CVE-2023-44487
GHSA-qppj-fm5r-hxr3
VSV00013

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

10.1.14
Affected by 2 other vulnerabilities.

11.0.0-M12
Affected by 3 other vulnerabilities.

VCID-ah95-hj74-aaaq
Aliases:
CVE-2017-12617
GHSA-xjgh-84hx-56c5

Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

There are no reported fixed by versions.

VCID-f68z-z5n7-aaae
Aliases:
CVE-2023-42795
GHSA-g8pj-r55q-5c2v

Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

10.1.14
Affected by 2 other vulnerabilities.

11.0.0-M12
Affected by 3 other vulnerabilities.

VCID-ma76-864y-aaaf
Aliases:
CVE-2005-4836
GHSA-qrcx-p4rr-g48h

The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.

There are no reported fixed by versions.

VCID-r78u-gre6-aaaj
Aliases:
CVE-2023-45648
GHSA-r6j3-px5g-cq3x

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.

10.1.14
Affected by 2 other vulnerabilities.

11.0.0-M12
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-e318-2aad-aaag	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.	CVE-2023-41080 GHSA-q3mw-pvr8-9ggc

Vulnerability

Summary

Aliases

VCID-e318-2aad-aaag

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.

CVE-2023-41080
GHSA-q3mw-pvr8-9ggc

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T13:19:13.842287+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-10.html	36.0.0
2025-03-28T13:19:13.786277+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-10.html	36.0.0
2025-03-28T13:19:13.735084+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-10.html	36.0.0
2025-03-28T13:19:13.674760+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-10.html	36.0.0
2024-09-18T08:17:25.159028+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-10.html	34.0.1
2024-09-18T08:17:25.105915+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-10.html	34.0.1
2024-09-18T08:17:25.056694+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-10.html	34.0.1
2024-09-18T08:17:25.003100+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-10.html	34.0.1
2024-01-04T02:15:30.084751+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-10.html	34.0.0rc1
2024-01-04T02:15:30.032329+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-10.html	34.0.0rc1
2024-01-04T02:15:29.977789+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-10.html	34.0.0rc1
2024-01-04T02:15:29.923012+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-10.html	34.0.0rc1