Astra Linux - уязвимость в tomcat9

The documentation for Apache Tomcat versions 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62, and 8.5.38 to 8.5.78 states that the EncryptInterceptor enables Tomcat clustering to run over an untrusted network. However, this is incorrect. While the EncryptInterceptor does provide...

Astra Linux - уязвимость в tomcat9

The Padding Oracle vulnerability exists in Apache Tomcat’s EncryptInterceptor with the default configuration. This issue affects Apache Tomcat: versions 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109. Users are...

Exploit for Missing Encryption of Sensitive Data in Apache Tomcat

CVE-2026-34486 EncryptInterceptor fail-open bypass in Apache...

CLSA-2026-1777396783 tomcat: Fix of CVE-2022-29885

CVE-2022-29885: fix documentation stating EncryptInterceptor does not protect against DoS on an untrusted network...

SUSE-SU-2026:21366-1 Security update for tomcat11

This update for tomcat11 fixes the following issues: - Update to Tomcat 11.0.21 - CVE-2026-24880: Request smuggling via invalid chunk extension bsc1261850. - CVE-2026-25854: Occasionally open redirect bsc1261851. - CVE-2026-29129: TLS cipher order is not preserved bsc1261852. - CVE-2026-29145: OC...

CVE-2026-34486

A flaw was found in Apache Tomcat. This vulnerability, categorized as Missing Encryption of Sensitive Data, arises from a bypass in the EncryptInterceptor, a component designed to ensure data encryption. This bypass, introduced as a fix for CVE-2026-29146, allows sensitive data to remain...

Linux Distros Unpatched Vulnerability : CVE-2026-29146

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18,...

EUVD-2026-21056

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the...

Apache Tomcat Missing Encryption of Sensitive Data vulnerability

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the...

GHSA-H468-7PVH-8VR8 Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are...

CVE-2026-29146

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are...

CVE-2026-34486

CVE-2026-34486 is a Tomcat Tribes EncryptInterceptor regression: when decryption fails, the code path previously moved super.messageReceived(msg) outside the try block, causing raw serialized bytes to bypass encryption and reach deserialization, enabling unauthenticated RCE via Java deserializati...

CVE-2026-29146

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are...

Apache Tomcat 安全漏洞

Apache Tomcat is a lightweight web application server developed by the Apache Foundation in the United States. It supports Servlet and JavaServer Page JSP technologies. Versions 11.0.20, 10.1.53, and 9.0.116 of Apache Tomcat contain security vulnerabilities. These vulnerabilities stem from the la...

Apache Tomcat 安全漏洞

Apache Tomcat is a lightweight web application server developed by the Apache Foundation in the United States. It supports Servlet and JavaServer Page JSP technologies. There are security vulnerabilities in Apache Tomcat versions 11.0.18 and earlier, 10.1.52 and earlier, 9.0.115 and earlier,...

Use of a Broken or Risky Cryptographic Algorithm

Overview Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm in the EncryptInterceptor class, which defaults to CBC mode. An attacker can obtain sensitive information via padding oracle. Remediation Upgrade org.apache.tomcat:tomcat-tribes to versio...

PT-2026-31712

Name of the Vulnerable Software and Affected Versions Apache Tomcat version 11.0.20 Apache Tomcat version 10.1.53 Apache Tomcat version 9.0.116 Description A fail-open regression in the Tribes clustering component allows the EncryptInterceptor to be bypassed. This occurs because failed decryption...

PT-2026-31700

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.18, 10.0.0-M1 through 10.1.52, 9.0.13 through 9.0.115, 8.5.38 through 8.5.100, and 7.0.100 through 7.0.109 Description A padding oracle issue exists in Apache Tomcat's EncryptInterceptor when using...

Linux Distros Unpatched Vulnerability : CVE-2022-29885

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly...

Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Tomcat vulnerabilities (USN-6943-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6943-1 advisory. It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore configurations. ...