32 matches found
BIT-TOMCAT-2020-1938
When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that...
BIT-TOMCAT-2023-28708 Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 10.1.0 to 10.1.5, 9.0.0 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the...
[SECURITY] [DLA 4244-1] tomcat9 security update
Debian LTS Advisory DLA-4244-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany July 22, 2025 https://wiki.debian.org/LTS Package : tomcat9 Version : 9.0.107-0+deb11u1 CVE ID : CVE-2024-34750 CVE-2024-54677 CVE-2025-31650 CVE-2025-31651 CVE-2025-46701 CVE-2025-4897...
DLA-4244-1 tomcat9 - security update
Bulletin has no description...
[SECURITY] [DLA 4108-1] tomcat9 security update
Debian LTS Advisory DLA-4108-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany April 02, 2025 https://wiki.debian.org/LTS Package : tomcat9 Version : 9.0.43-2deb11u12 CVE ID : CVE-2025-24813 A security vulnerability was found in Tomcat 9, a Java based web server a...
Debian dla-4108 : libtomcat9-embed-java - security update
The remote Debian 11 host has packages installed that are affected by a vulnerability as referenced in the dla-4108 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4108-1 [email protected] https://www.debian.org/lts/security/...
Debian dla-4017 : libtomcat9-embed-java - security update
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4017 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4017-1 [email protected]...
[SECURITY] [DLA 4017-1] tomcat9 security update
Debian LTS Advisory DLA-4017-1 [email protected] https://www.debian.org/lts/security/ Markus Koschany January 17, 2025 https://wiki.debian.org/LTS Package : tomcat9 Version : 9.0.43-2deb11u11 CVE ID : CVE-2024-21733 CVE-2024-38286 CVE-2024-50379 CVE-2024-52316 CVE-2024-56337 Several...
GHSA-V682-8VV8-VPWR vulnerabilities
Vulnerabilities for packages: tomcat...
GHSA-V682-8VV8-VPWR vulnerabilities
Vulnerabilities for packages: tomcat...
GHSA-7W75-32CG-R6G2 vulnerabilities
Vulnerabilities for packages: tomcat...
CVE-2024-23672 vulnerabilities
Vulnerabilities for packages: tomcat...
CVE-2024-23672 vulnerabilities
Vulnerabilities for packages: tomcat...
CVE-2024-24549 vulnerabilities
Vulnerabilities for packages: tomcat...
GHSA-QPPJ-FM5R-HXR3 vulnerabilities
Vulnerabilities for packages: envoy-ratelimit, ko, kubeflow-katib, rqlite, mc, dynamic-localpv-provisioner, kubernetes-csi-livenessprobe, kpt, ip-masq-agent, nghttp2, scorecard, pulumi-language-java, nats, slsa-verifier, skaffold, gke-gcloud-auth-plugin, cosign, nginx-mainline, kubevela,...
Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-002)
The version of tomcat installed on the remote host is prior to 9.0.71-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2TOMCAT9-2023-002 advisory. If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore...
CVE-2023-28708
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure...
Improper Resource Shutdown or Release in Apache Tomcat
In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOWUPDATE before allowing the application to write more data. These waiting streams each...
Remote Code Execution (RCE)
spring-beans is vulnerable to remote code execution. Using Spring Parameter Binding with non-basic parameter types, such as POJOs, allows an unauthenticated attacker to execute arbitrary code on the target system by writing or uploading arbitrary files e.g .jsp files to a location that can be...
CVE-2022-23181 Local privilege escalation with FileStore
The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is...