Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat-catalina@8.5.68 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-8m28-utzk-x7gj
Aliases: CVE-2022-25762 GHSA-h3ch-5pp2-vh6w |
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. |
Affected by 3 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-9wtx-mhfd-sfe4
Aliases: CVE-2024-52316 GHSA-xcpr-7mr4-h4xq |
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-mx9m-1qg7-67gh
Aliases: CVE-2021-43980 GHSA-jx7c-7mj5-9438 |
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client. |
Affected by 2 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-r5jp-6b4w-rffw
Aliases: CVE-2023-41080 GHSA-q3mw-pvr8-9ggc |
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application. |
Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-08-01T12:03:34.588340+00:00 | GitLab Importer | Affected by | VCID-9wtx-mhfd-sfe4 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2024-52316.yml | 37.0.0 |
| 2025-08-01T11:18:29.731574+00:00 | GitLab Importer | Affected by | VCID-r5jp-6b4w-rffw | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2023-41080.yml | 37.0.0 |
| 2025-08-01T10:48:56.926159+00:00 | GitLab Importer | Affected by | VCID-mx9m-1qg7-67gh | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2021-43980.yml | 37.0.0 |
| 2025-08-01T10:23:46.236214+00:00 | GitLab Importer | Affected by | VCID-8m28-utzk-x7gj | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2022-25762.yml | 37.0.0 |