VulnerableCode Package Details - pkg:apache/tomcat@9.0.104

Search for packages

Vulnerability	Summary	Fixed by
VCID-h5vt-s4xq-hkbn Aliases: CVE-2025-46701 GHSA-h2fw-rfh5-95r3	Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.	9.0.105 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.41 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.7 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-h5vt-s4xq-hkbn
Aliases:
CVE-2025-46701
GHSA-h2fw-rfh5-95r3

Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.

9.0.105
Affected by 4 other vulnerabilities.

10.1.41
Affected by 4 other vulnerabilities.

11.0.7
Affected by 4 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-ckkm-g4kc-tfbg	Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.	CVE-2025-31650 GHSA-3p2h-wqq4-wf4h
VCID-yzt8-watu-qkcs	Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.	CVE-2025-31651 GHSA-ff77-26x5-69cr

Vulnerability

Summary

Aliases

VCID-ckkm-g4kc-tfbg

Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.

CVE-2025-31650
GHSA-3p2h-wqq4-wf4h

VCID-yzt8-watu-qkcs

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.

CVE-2025-31651
GHSA-ff77-26x5-69cr

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-05-29T21:46:12.851818+00:00	Apache Tomcat Importer	Affected by	VCID-h5vt-s4xq-hkbn	https://tomcat.apache.org/security-9.html	36.0.0
2025-04-29T00:32:30.380206+00:00	Apache Tomcat Importer	Fixing	VCID-ckkm-g4kc-tfbg	https://tomcat.apache.org/security-9.html	36.0.0
2025-04-29T00:32:30.284395+00:00	Apache Tomcat Importer	Fixing	VCID-yzt8-watu-qkcs	https://tomcat.apache.org/security-9.html	36.0.0