USN-8417-1 tomcat9, tomcat10 vulnerabilities

It was discovered that Tomcat did not properly limit the size of WebDAV LOCK and PROPFIND request bodies. A remote attacker could use this issue to cause Tomcat to consume excessive memory, resulting in a denial of service. CVE-2026-41284 It was discovered that Tomcat incorrectly validated HTTP/2...

[SECURITY] [DLA 4619-1] tomcat9 security update

Debian LTS Advisory DLA-4619-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany June 07, 2026 https://wiki.debian.org/LTS Package : tomcat9 Version : 9.0.118-0+deb11u1 CVE ID : CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145 CVE-2026-29146 CVE-2026-3299...

Debian dla-4619 : libtomcat9-embed-java - security update

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4619 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4619-1 [email protected]...

tomcat-9.0.118-1.1 on GA media (moderate)

tomcat-9.0.118-1.1 on GA media Announcement ID: openSUSE-SU-2026:10925-1 Rating: moderate Cross-References: CVE-2026-41284 CVE-2026-41293 CVE-2026-42498 CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515 CVSS scores: CVE-2026-41284 SUSE : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H...

Astra Linux - уязвимость в tomcat9

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61, or 7.0.0 to 7.0.107, the Tomcat instance was still vulnerable to CVE-2020-9494, even when using a configuration edge case that was highly unlikely to be used. It should be...

Astra Linux - уязвимость в tomcat9

Improper handling of exceptional conditions, and uncontrolled resource consumption vulnerabilities in Apache Tomcat. When processing an HTTP/2 stream, Tomcat failed to correctly handle some cases of excessive HTTP headers. This resulted in an incorrect count of active HTTP/2 streams, leading to t...

Astra Linux - уязвимость в tomcat9

There is a vulnerability in Apache Tomcat known as “Allocation of Resources Without Limits or Throttling”. This issue affects Apache Tomcat versions from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, and from 9.0.0.M1 through 9.0.105. The following versions were already discontinued E...

Astra Linux - уязвимость в tomcat9

DoS attack due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeds any of the configured limits for headers, the associated HTTP/2 stream is not reset until all headers have been processed. This issue affects...

Astra Linux - уязвимость в tomcat9

Apache Tomcat versions 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43, and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop, resulting in a denial of...

Astra Linux - уязвимость в tomcat9

There is a vulnerability related to observable timing discrepancies when comparing AJP secrets in Apache Tomcat. This issue affects Apache Tomcat versions as follows: 11.0.0-M1 through 11.0.21, 10.1.0-M1 through 10.1.54, 9.0.0.M1 through 9.0.117, 8.5.0 through 8.5.100, and 7.0.0 through 7.0.109...

Astra Linux - уязвимость в tomcat9

The simplified implementation of blocking reads and writes introduced in Tomcat 10, and backported to Tomcat 9.0.47 and later versions, exposed a long-standing but extremely difficult to trigger concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60, and...

Astra Linux - уязвимость в tomcat9, libcommons-fileupload-java

Apache Commons FileUpload before version 1.5 does not limit the number of request parts that can be processed, which allows an attacker to trigger a DoS attack with a malicious upload or series of uploads. It should be noted that, like all file upload limitations, the new configuration option...

Astra Linux - уязвимость в tomcat9

In some unusual configurations of multipart uploads, an Integer Overflow vulnerability in Apache Tomcat can lead to a Denial-of-Service attack by bypassing size limits. This issue affects Apache Tomcat versions as follows: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, and from...

RHSA-2026:18536 Red Hat Security Advisory: tomcat9 security update

Bulletin has no description...

RHEL 10 : tomcat9 (RHSA-2026:18536)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:18536 advisory. Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages...

CLEANSTART-2026-UZ56639 Security fixes for CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998, CVE-2023-28708 applied in versions: 9.0.58-r0, 9.0.63-r0, 9.0.64-r0, 9.0.68-r0, 9.0.70-r0, 9.0.71-r0, 9.0.73-r0, 9.0.80-r0

Multiple security vulnerabilities affect the tomcat9 package. These issues are resolved in later releases. See references for individual vulnerability details...

Astra Linux – Vulnerability in libcommons-fileupload-java, tomcat9

The allocation of resources for multipart headers with insufficient limits enabled created a DoS vulnerability in Apache Commons FileUpload. This issue affects Apache Commons FileUpload: versions from 1.0 before 1.6, and from 2.0.0-M1 before 2.0.0-M4. Users are recommended to upgrade to version 1...

Astra Linux – Vulnerability in Tomcat9

Apache Tomcat versions 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46, and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances, which could lead to requests for data smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored t...

Astra Linux – Vulnerability in Tomcat9

The vulnerability involving uncontrolled resource consumption in the Apache Tomcat-based example web applications leads to a denial-of-service attack. This issue affects Apache Tomcat versions as follows: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, and from 9.0.0.M1 through...

Astra Linux – Vulnerabilities in nghttp2, netty, tomcat9, jetty9, grpc

The HTTP/2 protocol allows for a denial of service server resource consumption, as request cancellation can quickly reset many streams, as exploited in practice from August to October 2023...