Apache Tomcat 11.0.0.M1 < 11.0.22 multiple vulnerabilities

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(316002);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/26");

  script_cve_id(
    "CVE-2026-41284",
    "CVE-2026-41293",
    "CVE-2026-42498",
    "CVE-2026-43512",
    "CVE-2026-43513",
    "CVE-2026-43514",
    "CVE-2026-43515"
  );

  script_name(english:"Apache Tomcat 11.0.0.M1 < 11.0.22 multiple vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat server is affected by multiple vulnerabilities");
  script_set_attribute(attribute:"description", value:
"The version of Tomcat installed on the remote host is prior to 11.0.22. It is, therefore, affected by multiple
vulnerabilities as referenced in the fixed_in_apache_tomcat_11.0.22_security-11 advisory.

  - DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This
    issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1
    through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be
    affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43512)

  - Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same
    extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from
    10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through
    7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43515)

  - Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects
    Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through
    9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be
    affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43514)

  - Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects
    Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through
    9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be
    affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
    (CVE-2026-43513)

  - Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability
    in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through
    10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are
    recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue. (CVE-2026-42498)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://github.com/apache/tomcat/commit/0659748659ec75253fea5aac72cab6f94e79c419
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?01b3d8ce");
  # https://github.com/apache/tomcat/commit/276087d9c7abbcecc6c4fb4e4b08cf64780c6e36
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7f1ef2ab");
  # https://github.com/apache/tomcat/commit/d35d9d23263c8e4af561f615c960c91697ff200e
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?03ab0db2");
  # https://github.com/apache/tomcat/commit/83f3e51df7b87f5f6e626951c575ded1a512e8ef
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7d1df983");
  # https://github.com/apache/tomcat/commit/a99c355e8199adbfd67c9a1fffbd85b810b196cd
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7fa9e2d2");
  # https://github.com/apache/tomcat/commit/b7b173694d588ddcfa432f079baf763cbbbaa5c4
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b18f1568");
  # https://github.com/apache/tomcat/commit/e5cef9618c3f4fd31bd6fb1e83f0f18022280dac
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ce495882");
  # https://github.com/apache/tomcat/commit/3915fd27e6810b14ccd21e3d900bd8faef44d3df
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?c7247677");
  # https://github.com/apache/tomcat/commit/c2925554c677da57390f940d856871e18daaacab
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3fbd6a3f");
  # https://github.com/apache/tomcat/commit/a96fffd18487a29c0a30d36f00cb2b2d91f6d42c
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2c02ca65");
  # https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.22
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?78978f4d");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Tomcat version 11.0.22 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-43512");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/05/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2026/05/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/05/21");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat:11");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
  script_require_keys("installed_sw/Apache Tomcat");

  exit(0);
}

include('vcf_extras.inc');

vcf::tomcat::initialize();
var app_info = vcf::combined_get_app_info(app:'Apache Tomcat');

var constraints = [
  { 'min_version' : '11.0.0.M1', 'max_version' : '11.0.21', 'fixed_version' : '11.0.22' }
];

vcf::check_all_backporting(app_info:app_info);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_HOLE
);