Search for packages
Package details: pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@11.0.0-M12
purl pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@11.0.0-M12
Next non-vulnerable version 11.0.8
Latest non-vulnerable version 11.0.10
Risk 10.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-4bq7-1e1e-d7c3
Aliases:
CVE-2024-24549
GHSA-7w75-32cg-r6g2
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
11.0.0-M17
Affected by 4 other vulnerabilities.
VCID-59vp-c676-dfa4
Aliases:
CVE-2025-46701
GHSA-h2fw-rfh5-95r3
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.
11.0.7
Affected by 2 other vulnerabilities.
VCID-856z-sjqh-qfbz
Aliases:
CVE-2025-31651
GHSA-ff77-26x5-69cr
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
11.0.6
Affected by 1 other vulnerability.
VCID-kdkb-2vcc-7ka1
Aliases:
CVE-2023-28708
GHSA-2c9m-w27f-53rm
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.
11.0.0
Affected by 5 other vulnerabilities.
VCID-wbae-761d-qqeq
Aliases:
CVE-2025-31650
GHSA-3p2h-wqq4-wf4h
Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue.
11.0.6
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-5hpn-smw4-pqcs Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. CVE-2023-42795
GHSA-g8pj-r55q-5c2v
VCID-pjyw-m6xk-9qbb Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. CVE-2023-45648
GHSA-r6j3-px5g-cq3x
VCID-w5uu-nj7c-wka6 The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. CVE-2023-44487
GHSA-qppj-fm5r-hxr3
VSV00013

Date Actor Action Vulnerability Source VulnerableCode Version
2025-08-01T13:42:26.842546+00:00 GHSA Importer Fixing VCID-pjyw-m6xk-9qbb https://github.com/advisories/GHSA-r6j3-px5g-cq3x 37.0.0
2025-08-01T13:42:18.897385+00:00 GHSA Importer Fixing VCID-5hpn-smw4-pqcs https://github.com/advisories/GHSA-g8pj-r55q-5c2v 37.0.0
2025-08-01T12:21:35.968098+00:00 GitLab Importer Affected by VCID-59vp-c676-dfa4 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-46701.yml 37.0.0
2025-08-01T12:19:11.283988+00:00 GitLab Importer Affected by VCID-wbae-761d-qqeq https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-31650.yml 37.0.0
2025-08-01T12:19:09.513528+00:00 GitLab Importer Affected by VCID-856z-sjqh-qfbz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2025-31651.yml 37.0.0
2025-08-01T11:37:57.811483+00:00 GitLab Importer Affected by VCID-4bq7-1e1e-d7c3 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2024-24549.yml 37.0.0
2025-08-01T11:03:57.351545+00:00 GitLab Importer Affected by VCID-kdkb-2vcc-7ka1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-28708.yml 37.0.0
2025-08-01T09:30:53.622293+00:00 GHSA Importer Fixing VCID-w5uu-nj7c-wka6 https://github.com/advisories/GHSA-qppj-fm5r-hxr3 37.0.0
2025-07-31T09:30:16.074347+00:00 GitLab Importer Fixing VCID-5hpn-smw4-pqcs https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-42795.yml 37.0.0
2025-07-31T09:30:14.394948+00:00 GitLab Importer Fixing VCID-w5uu-nj7c-wka6 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-44487.yml 37.0.0
2025-07-31T09:30:13.651172+00:00 GitLab Importer Fixing VCID-pjyw-m6xk-9qbb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat.embed/tomcat-embed-core/CVE-2023-45648.yml 37.0.0
2025-07-31T08:40:04.028685+00:00 GithubOSV Importer Fixing VCID-w5uu-nj7c-wka6 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-qppj-fm5r-hxr3/GHSA-qppj-fm5r-hxr3.json 37.0.0
2025-07-31T08:39:46.645027+00:00 GithubOSV Importer Fixing VCID-5hpn-smw4-pqcs https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-g8pj-r55q-5c2v/GHSA-g8pj-r55q-5c2v.json 37.0.0
2025-07-31T08:39:44.882278+00:00 GithubOSV Importer Fixing VCID-pjyw-m6xk-9qbb https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/10/GHSA-r6j3-px5g-cq3x/GHSA-r6j3-px5g-cq3x.json 37.0.0