22 matches found
Fixed in Apache Tomcat 9.0.108
Important: DoS in HTTP/2 due to client triggered stream reset CVE-2025-48989 Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError. This was fixed with commit f36b8a4e. This issue was reported to the ASF...
UBUNTU-CVE-2025-52434
Concurrent Execution using Shared Resource with Improper Synchronization 'Race Condition' vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 throug...
Apache Tomcat 9.0.0-M1 < 9.0.104 Multiple Vulnerabilities
The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.104, 10.1.0-M1 prior to 10.1.40 or 11.0.0-M1 prior to 11.0.6. It is, therefore, affected by multiple vulnerabilities : - A denial of service via invalid HTTP priority header. CVE-2025-31650 - A rewrite rule bypass...
Apache Tomcat DoS Vulnerability (Jul 2024) - Windows
Apache Tomcat is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat"; ...
Apache Tomcat 9.0.0.M1 < 9.0.90
The version of Tomcat installed on the remote host is prior to 9.0.90. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat9.0.90security-9 advisory. - Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat...
Apache Tomcat Multiple DoS Vulnerabilities (Mar 2024) - Linux
Apache Tomcat is prone to multiple denial of service DoS vulnerabilities. SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...
Oracle Linux 8 : tomcat (ELSA-2024-0125)
The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-0125 advisory. - Open Redirect vulnerability in FORM authentication CVE-2023-41080 - FileUpload: DoS due to accumulation of temporary files on Windows CVE-2023-42794 ...
CVE-2023-42795
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling...
CVE-2023-41080
URL Redirection to Untrusted Site 'Open Redirect' vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, EOL versions may als...
Apache Tomcat 9.0.0.M1 < 9.0.48
The version of Tomcat installed on the remote host is prior to 9.0.48. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat9.0.48security-9 advisory. - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP...
Apache Tomcat 9.0.0.M1 < 9.0.48 Request Smuggling
The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.47 or 8.5.0 to 8.5.67. It is, therefore, affected by a request smuggling because Apache Tomcat did not correctly parse the HTTP transfer-encoding request header in some circumstances when used with a...
Apache Tomcat 9.0.0.M1 < 9.0.46 Authentication Weakness
The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.5, 9.0.0.M1 to 9.0.45, 8.5.0 to 8.5.65 or 7.0.0 to 7.0.108. It is, therefore, affected by an authentication weakness due to queries made by the JNDI Realm which did not always correctly escape parameters. Note that the...
Apache Tomcat 9.0.0.M1 < 9.0.43 Multiple Vulnerabilities
The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.1, 9.0.0.M1 to 9.0.42, 8.5.0 to 8.5.62 or 7.0.0 to 7.0.107. It is, therefore, affected by a remote code execution due to an incomplete fix for CVE-2020-9484 and an information diclosure due to request mix-up with h2c...
Apache Tomcat 9.0.0.M1 < 9.0.40 Information Disclosure
The version of Apache Tomcat installed on the remote host is 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 or 7.0.0 to 7.0.106. It is, therefore, affected by a vulnerability. Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2...
PT-2022-2604
Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.75 Apache Tomcat versions 9.0.0.M1 through 9.0.20 Description The issue is related to errors when a web application sends a WebSocket message concurrently with the WebSocket connection closing. This cou...
Apache Tomcat 9.0.0.M1 < 9.0.36
The version of Tomcat installed on the remote host is prior to 9.0.36. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat9.0.36security-9 advisory. - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.3...
Apache Tomcat DoS Vulnerability (Jun 2020) - Windows
Apache Tomcat is prone to a denial of service vulnerability. SPDX-FileCopyrightText: 2020 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat"; if...
Apache Tomcat 9.0.0.M1 < 9.0.30 Session Fixation
The version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 or 7.0.0 to 7.0.98. It is, therefore, affected by a session fixation vulnerability when using FORM authentication. Note that the scanner has not attempted to exploit these issues but has instead relie...
Apache Tomcat 9.0.0.M1 < 9.0.30
The version of Tomcat installed on the remote host is prior to 9.0.30. It is, therefore, affected by a vulnerability as referenced in the fixedinapachetomcat9.0.30security-9 advisory. - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there...
Apache Tomcat 'Hostname Verification' Security Bypass Vulnerability - Windows
Apache Tomcat is prone to a security bypass vulnerability. SPDX-FileCopyrightText: 2018 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:apache:tomcat";...