BIT-TOMCAT-2023-28708 Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 10.1.0 to 10.1.5, 9.0.0 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the...

SUSE SLES15 / openSUSE 15 Security Update : tomcat10 (SUSE-SU-2025:02261-1)

The remote SUSE Linux SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2025:02261-1 advisory. - Fixed refactor CGI servlet to access resources via WebResources bsc1243815. - Fixed limits the total number of par...

SUSE-SU-2025:02261-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: - Fixed refactor CGI servlet to access resources via WebResources bsc1243815. - Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part bsc1244656. - Fixed expand checks for...

[SECURITY] [DSA 5893-1] tomcat10 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5893-1 [email protected] https://www.debian.org/security/ Markus Koschany April 05, 2025 https://www.debian.org/security/faq -...

Debian dsa-5893 : libtomcat10-embed-java - security update

The remote Debian 12 host has packages installed that are affected by a vulnerability as referenced in the dsa-5893 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5893-1 [email protected] https://www.debian.org/security/ Markus...

SUSE-SU-2025:1024-1 Security update for tomcat10

This update for tomcat10 fixes the following issues: - CVE-2025-24813: Fixed potential RCE and/or information disclosure/corruption with partial PUT bsc1239302 Other fixes: - Update to Tomcat 10.1.39 Fixes: + launch with java 17 bsc1239676 Catalina + Fix: 69602: Fix regression in releases from...

[SECURITY] [DSA 5845-1] tomcat10 security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5845-1 [email protected] https://www.debian.org/security/ Markus Koschany January 17, 2025 https://www.debian.org/security/faq -...

Debian dsa-5845 : libtomcat10-embed-java - security update

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5845 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-5845-1 [email protected] https://www.debian.org/securit...

GHSA-QPPJ-FM5R-HXR3 vulnerabilities

Vulnerabilities for packages: ko, flux-kustomize-controller, ollama, metacontroller, dynamic-localpv-provisioner, kots, prometheus-adapter, slsa-verifier, hey, nodetaint, fuse-overlayfs-snapshotter, node-problem-detector, nghttp2, secrets-store-csi-driver, nats, envoy-ratelimit, weaviate,...

CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...

Design/Logic Flaw

The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing but extremely hard to trigger concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 tha...

Spring Authorization Server Is Going 1.0

We are excited to announce that weve started preparing for Spring Authorization Server 1.0 with plans to release the GA version in November 2022. It has been just over two years since we initially announced this new project, and we have come a long way since its initial development. The project h...

Apache Tomcat 9.0.0.M1 < 9.0.62 Spring4Shell CVE-2021-43980

The version of Apache Tomcat installed on the remote host is 9.x prior to 9.0.62. - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing but extremely hard to trigger concurrency bug in Apache Tomcat...

CVE-2022-23181 Local privilege escalation with FileStore

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is...

EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2021-2489)

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass som...

CVE-2020-11996

A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become...