VulnerableCode Package Details - pkg:apache/tomcat@9.0.71

Search for packages

Vulnerability	Summary	Fixed by
VCID-c32f-584t-xuam Aliases: CVE-2023-28709 GHSA-cx6h-86xw-9x34	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.	9.0.74 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 10.1.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M5 Affected by 0 other vulnerabilities.
VCID-kdkb-2vcc-7ka1 Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm	When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.	9.0.72 Affected by 0 other vulnerabilities. 10.1.6 Affected by 0 other vulnerabilities. 11.0.0-M3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-c32f-584t-xuam
Aliases:
CVE-2023-28709
GHSA-cx6h-86xw-9x34

The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

9.0.74
Affected by 1 other vulnerability.

10.1.8
Affected by 1 other vulnerability.

11.0.0-M5
Affected by 0 other vulnerabilities.

VCID-kdkb-2vcc-7ka1
Aliases:
CVE-2023-28708
GHSA-2c9m-w27f-53rm

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

9.0.72
Affected by 0 other vulnerabilities.

10.1.6
Affected by 0 other vulnerabilities.

11.0.0-M3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-pqmr-zjbb-8fhv	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.	CVE-2023-24998 GHSA-hfrx-6qgj-fp6c

Vulnerability

Summary

Aliases

VCID-pqmr-zjbb-8fhv

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

CVE-2023-24998
GHSA-hfrx-6qgj-fp6c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-07-31T08:03:19.159096+00:00	Apache Tomcat Importer	Fixing	VCID-pqmr-zjbb-8fhv	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:19.126650+00:00	Apache Tomcat Importer	Affected by	VCID-kdkb-2vcc-7ka1	https://tomcat.apache.org/security-9.html	37.0.0
2025-07-31T08:03:19.095100+00:00	Apache Tomcat Importer	Affected by	VCID-c32f-584t-xuam	https://tomcat.apache.org/security-9.html	37.0.0