Search for packages
Package details: pkg:maven/org.apache.tomcat/tomcat-coyote@10.0.0
purl pkg:maven/org.apache.tomcat/tomcat-coyote@10.0.0
Next non-vulnerable version 10.1.40
Latest non-vulnerable version 11.0.10
Risk 10.0
Vulnerabilities affecting this package (8)
Vulnerability Summary Fixed by
VCID-1nex-fumc-nfgc
Aliases:
CVE-2021-33037
GHSA-4vww-mc66-62m6
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
10.0.7
Affected by 3 other vulnerabilities.
VCID-53ea-3wyh-xfg7
Aliases:
CVE-2020-17527
GHSA-vvw4-rfwf-p6hx
While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.
10.0.2
Affected by 4 other vulnerabilities.
VCID-7nj6-9exh-5qgr
Aliases:
CVE-2022-42252
GHSA-p22x-g9px-3945
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
10.0.27
Affected by 1 other vulnerability.
10.1.1
Affected by 3 other vulnerabilities.
VCID-mx9m-1qg7-67gh
Aliases:
CVE-2021-43980
GHSA-jx7c-7mj5-9438
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
10.0.20
Affected by 2 other vulnerabilities.
10.1.1
Affected by 3 other vulnerabilities.
VCID-qpdb-4y18-b3hf
Aliases:
CVE-2020-13935
GHSA-m7jv-hq7h-mq7c
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
10.0.2
Affected by 4 other vulnerabilities.
VCID-umzc-c88f-5yck
Aliases:
CVE-2020-13934
GHSA-vf77-8h7g-gghp
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
10.0.2
Affected by 4 other vulnerabilities.
VCID-w5uu-nj7c-wka6
Aliases:
CVE-2023-44487
GHSA-qppj-fm5r-hxr3
VSV00013
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
10.1.14
Affected by 2 other vulnerabilities.
11.0.0-M12
Affected by 1 other vulnerability.
VCID-zp3z-es2m-37e5
Aliases:
CVE-2020-13943
GHSA-f268-65qc-98vg
If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
10.0.2
Affected by 4 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2025-08-01T10:52:46.087934+00:00 GitLab Importer Affected by VCID-7nj6-9exh-5qgr https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2022-42252.yml 37.0.0
2025-08-01T10:48:56.482979+00:00 GitLab Importer Affected by VCID-mx9m-1qg7-67gh https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2021-43980.yml 37.0.0
2025-08-01T09:45:49.518045+00:00 GitLab Importer Affected by VCID-53ea-3wyh-xfg7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2020-17527.yml 37.0.0
2025-08-01T09:43:46.651858+00:00 GitLab Importer Affected by VCID-zp3z-es2m-37e5 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2020-13943.yml 37.0.0
2025-08-01T09:34:24.760826+00:00 GitLab Importer Affected by VCID-qpdb-4y18-b3hf https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2020-13935.yml 37.0.0
2025-08-01T09:34:23.961181+00:00 GitLab Importer Affected by VCID-umzc-c88f-5yck https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2020-13934.yml 37.0.0
2025-08-01T09:31:03.247244+00:00 GHSA Importer Affected by VCID-w5uu-nj7c-wka6 https://github.com/advisories/GHSA-qppj-fm5r-hxr3 37.0.0
2025-07-31T09:24:21.108576+00:00 GitLab Importer Affected by VCID-1nex-fumc-nfgc https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-coyote/CVE-2021-33037.yml 37.0.0