Search for packages
| purl | pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3zw5-dkhq-s3gr
Aliases: CVE-2019-10072 GHSA-q4hg-rmq2-52q9 |
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-4bq7-1e1e-d7c3
Aliases: CVE-2024-24549 GHSA-7w75-32cg-r6g2 |
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. |
Affected by 0 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-52jg-1p2w-uqc9
Aliases: CVE-2021-30640 GHSA-36qh-35cm-5w2w |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. |
Affected by 10 other vulnerabilities. Affected by 11 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-53ea-3wyh-xfg7
Aliases: CVE-2020-17527 GHSA-vvw4-rfwf-p6hx |
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-7m6d-m7rr-fbgj
Aliases: CVE-2021-41079 GHSA-59g9-7gfx-c72p |
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. |
Affected by 11 other vulnerabilities. Affected by 12 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-7n44-6sjn-kufk
Aliases: CVE-2018-11784 GHSA-5q99-f34m-67gc |
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-7nj6-9exh-5qgr
Aliases: CVE-2022-42252 GHSA-p22x-g9px-3945 |
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-8kh8-xx8e-83br
Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5 |
Affected by 26 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
|
VCID-8m28-utzk-x7gj
Aliases: CVE-2022-25762 GHSA-h3ch-5pp2-vh6w |
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. |
Affected by 8 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-anxt-ts7w-wye1
Aliases: CVE-2019-17563 GHSA-9xcj-c8cr-8c3c |
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-ay1a-2g1h-hkau
Aliases: CVE-2020-1745 GHSA-gv2w-88hx-8m9r |
Improper Authorization in Undertoe A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution. |
Affected by 19 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-aycw-nzkw-buhj
Aliases: CVE-2019-12418 GHSA-hh3j-x4mc-g48r |
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. |
Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-dzsr-5hq1-47fd
Aliases: CVE-2017-5651 GHSA-9hg2-395j-83rm |
Affected by 29 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
|
VCID-ee8x-kzqv-b3ht
Aliases: CVE-2020-11996 GHSA-53hp-jpwq-2jgq |
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. |
Affected by 17 other vulnerabilities. Affected by 16 other vulnerabilities. |
|
VCID-eyyu-e4kt-8ue5
Aliases: CVE-2021-25122 GHSA-j39c-c8hj-x4j3 |
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. |
Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-gkeu-um4m-ckef
Aliases: CVE-2020-9484 GHSA-344f-f5vg-2jfj |
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed. |
Affected by 18 other vulnerabilities. Affected by 17 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-hh8u-b2u9-pfgk
Aliases: CVE-2021-25329 GHSA-jgwr-3qm3-26f3 |
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. |
Affected by 14 other vulnerabilities. Affected by 14 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-j8tv-cs47-93h9
Aliases: CVE-2018-8014 GHSA-r4x2-3cq5-hqvp |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. |
Affected by 24 other vulnerabilities. Affected by 1 other vulnerability. Affected by 25 other vulnerabilities. |
|
VCID-kdkb-2vcc-7ka1
Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm |
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. |
Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-mx9m-1qg7-67gh
Aliases: CVE-2021-43980 GHSA-jx7c-7mj5-9438 |
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. |
Affected by 7 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. |
|
VCID-r5jp-6b4w-rffw
Aliases: CVE-2023-41080 GHSA-q3mw-pvr8-9ggc |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application. |
Affected by 3 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 6 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-s2yw-ayf9-gfgp
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
Affected by 32 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
|
VCID-s87f-pf8e-yqcz
Aliases: CVE-2021-24122 GHSA-2rvv-w9r2-rg7m |
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances. |
Affected by 15 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-ta6y-kc43-e3ap
Aliases: CVE-2017-7675 GHSA-68g5-8q7f-m384 |
Affected by 27 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
|
VCID-umzc-c88f-5yck
Aliases: CVE-2020-13934 GHSA-vf77-8h7g-gghp |
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service. |
Affected by 16 other vulnerabilities. Affected by 15 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-uy2u-497k-y7fh
Aliases: CVE-2017-5664 GHSA-jmvv-524f-hj5j |
Affected by 28 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
|
VCID-w5uu-nj7c-wka6
Aliases: CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013 |
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
Affected by 1 other vulnerability. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-w67f-7ck2-83e2
Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq |
Affected by 32 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
|
VCID-w9dz-6ffc-cbgy
Aliases: GHSA-r53m-pfr5-7v87 |
Moderate severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core **Withdrawn:** Duplicate of GHSA-qcxh-w3j9-58qr |
Affected by 23 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-wqne-fp1b-5bb2
Aliases: CVE-2017-5650 GHSA-9785-w233-x6hv |
Affected by 29 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
|
VCID-x36b-25k2-ckcx
Aliases: CVE-2020-1935 GHSA-qxf4-chvg-4r8r |
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. |
Affected by 19 other vulnerabilities. Affected by 19 other vulnerabilities. |
|
VCID-xu7t-p6w1-4ycd
Aliases: CVE-2018-1304 GHSA-6rxj-58jh-436r |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. |
Affected by 25 other vulnerabilities. Affected by 26 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||