26 matches found
Apache Tomcat Session Fixation Vulnerability (Aug 2025) - Linux
Apache Tomcat is prone to a session fixation vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat"; if...
BIT-TOMCAT-2025-55668 Apache Tomcat: session fixation via rewrite valve
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.0 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.10...
Apache Tomcat DoS Vulnerability (Jul 2024) - Windows
Apache Tomcat is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat"; ...
Apache Tomcat 10.1.0-M1 < 10.1.19 Denial Of Service
The version of Apache Tomcat installed on the remote host is 8.5.0 to 8.5.98, 9.0.0-M1 to 9.0.85, 10.1.0-M1 to 10.1.18 or 11.0.0-M1 to 11.0.0-M16. It is, therefore, affected by two denial of service vulnerabilities related to WebSocket connection and HTTP/2 request. Note that the scanner has not...
CVE-2024-24549
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been...
Apache Tomcat Multiple DoS Vulnerabilities (Mar 2024) - Linux
Apache Tomcat is prone to multiple denial of service DoS vulnerabilities. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
BIT-TOMCAT-2022-29885 EncryptInterceptor does not provide complete protection on insecure networks
The documentation of Apache Tomcat 10.1.0 to 10.1.0, 10.0.0 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentialit...
Oracle Linux 8 : tomcat (ELSA-2024-0125)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-0125 advisory. - Open Redirect vulnerability in FORM authentication CVE-2023-41080 - FileUpload: DoS due to accumulation of temporary files on Windows CVE-2023-42794 ...
CVE-2023-42795
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling...
Apache Tomcat 10.1.0-M1 < 10.1.13 Open Redirect
The version of Apache Tomcat installed on the remote host is 8.5.0 to 8.5.92, 9.0.0-M1 to 9.0.79, 10.1.0-M1 to 10.1.12 or 11.0.0-M1 to 11.0.0-M10. If the ROOT default web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger...
CVE-2023-41080
URL Redirection to Untrusted Site 'Open Redirect' vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may als...
Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2023-176)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-176 advisory. The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing but extremely hard to trigger concurrency bug...
Apache Tomcat 10.1.0-M1 < 10.1.6 Information Disclosure
The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.86, 9.0.0-M1 prior to 9.0.72, 10.1.0-M1 prior to 10.1.6 or 11.0.0-M1 prior to 11.0.0-M3. It is, therefore, affected by an information disclosure due to the RemoteIpFilter. Note that the scanner has not attempted to...
Apache Tomcat 11.0.0-M1 < 11.0.0-M3 Denial Of Service
The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.85, 9.0.0-M1 prior to 9.0.71, 10.1.0-M1 prior to 10.1.5 or 11.0.0-M1 prior to 11.0.0-M3. It is, therefore, affected by a denial of service due to a vulnerability in the file upload functionality in the Apache Commons...
Apache Tomcat 10.1.0.M1 < 10.1.5
The version of Tomcat installed on the remote host is prior to 10.1.5. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat10.1.5security-10 advisory. - Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in t...
Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2023-1341)
The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
Apache Tomcat 10.1.0-M1 < 10.1.2 JsonErrorReportValve Injection
The version of Apache Tomcat installed on the remote host is 8.5.x to 8.5.83, 9.0.0-M1 to 9.0.68 or 10.1.0-M1 to 10.1.1. It is, therefore, affected by a JsonErrorReportValve injection vulnerability. The JsonErrorReportValve did not escape the type, message or description values. In some...
Apache Tomcat JsonErrorReportValve Injection Vulnerability (Jan 2023) - Linux
Apache Tomcat is prone to a JsonErrorReportValve injection vulnerability. SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
CVE-2022-45143
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or...
Apache Tomcat 10.1.0.M1 < 10.1.1
The version of Tomcat installed on the remote host is prior to 10.1.1. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat10.1.1security-10 advisory. - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configur...