13 matches found
Astra Linux – Vulnerability in Tomcat9
Apache Tomcat has a Relative Path Traversal vulnerability. The fix for bug 60013 introduced a regression where the rewritten URL was normalized before being decoded. This created the possibility that, for rewrite rules that modify query parameters into the URL, an attacker could manipulate the...
tomcat: Apache Tomcat: Bypass of rules in Rewrite Valve
A flaw was found in Apache Tomcat's rewrite rule processing component. This vulnerability allows security constraints to be bypassed via specially crafted HTTP requests when specific, uncommon rewrite rule configurations are in use...
PT-2025-43996
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.0-M1 through 11.0.10 Apache Tomcat versions 10.1.0-M1 through 10.1.44 Apache Tomcat versions 9.0.0.M11 through 9.0.108 Apache Tomcat versions 8.5.6 through 8.5.100 Description A relative path traversal issue exists...
Apache Tomcat 11.0.0-M1 < 11.0.8 Multiple Vulnerabilities
The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities : - A race condition on connection close could trigger a JVM crash when using the APR/Native...
Apache Tomcat 9.0.0-M1 < 9.0.106 Multiple Vulnerabilities
The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.106, 10.1.0-M1 prior to 10.1.42 or 11.0.0-M1 prior to 11.0.8. It is, therefore, affected by multiple vulnerabilities : - A race condition on connection close could trigger a JVM crash when using the APR/Native...
Fixed in Apache Tomcat 11.0.7
Low: CGI security constraint bypass CVE-2025-46701 When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL. This was...
Important: tomcat10
Issue Overview: Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException...
Apache Tomcat 11.0.0.M1 < 11.0.6 multiple vulnerabilities
The version of Tomcat installed on the remote host is prior to 11.0.6. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat11.0.6security-11 advisory. - Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a...
USN-6826-1 libapache-mod-jk vulnerability
Karl von Randow discovered that modjk was vulnerable to an authentication bypass. If the configuration did not provide explicit mounts for all possible proxied requests, an attacker could possibly use this vulnerability to bypass security constraints configured in httpd...
VulnCheck KEV: CVE-2021-34429
For Eclipse Jetty versions 9.4.37-9.4.42, 10.0.1-10.0.5 & 11.0.1-11.0.5, URIs can be crafted using some encoded characters to access the content of the WEB-INF directory and/or bypass some security constraints. This is a variation of the vulnerability reported in CVE-2021-28164/GHSA-v7ff-8wcx-gmc...
SimpleSAMLphp Security Bypass Vulnerability
SimpleSAMLphp is an application written in native PHP for handling validation.The SAML2Utils class provides a series of methods to validate XML digital signatures against given keywords. A security bypass vulnerability exists in SimpleSAMLphp. An attacker can bypass security constraints to perfor...
Web: Bypass of security constraints
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /jsecuritycheck at the end of a URI...
Web: Bypass of security constraints
org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /jsecuritycheck at the end of a URI...