339 matches found
Fixed in Apache Tomcat 10.1.55
Moderate: Security constraints not correctly applied CVE-2026-43515 When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. This was fixed with commit c6213173. This issue was reported to the Tomcat securit...
Fixed in Apache Tomcat 9.0.118
Moderate: Security constraints not correctly applied CVE-2026-43515 When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. This was fixed with commit db919ff9. This issue was reported to the Tomcat securit...
Fixed in Apache Tomcat 11.0.22
Moderate: Security constraints not correctly applied CVE-2026-43515 When multiple security constraints defined an HTTP method constraint for the same extension pattern, only the first method constraint was applied. This was fixed with commits 276087d9 and 06597486. This issue was reported to the...
Fixed in Apache Tomcat Native Connector 2.0.14 / 1.3.7
Moderate: OCSP checks sometimes soft-fail even when soft-fail is disabled CVE-2026-29145 CLIENTCERT authentication did not fail OCSP checks as expected for some scenarios when soft fail was disabled. This was fixed with commit bcea0ac2 2.0.x and 204f7f8a 1.3.x. This issue was reported to the Tomc...
Fixed in Apache Tomcat 11.0.21
Moderate: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled CVE-2026-34500 CLIENTCERT authentication did not fail as expected for some scenarios when soft fail was disabled and FFM was used. This was fixed with commit c13e60e7. This issue was reported to the Tomcat security...
Fixed in Apache Tomcat 9.0.117
Moderate: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled CVE-2026-34500 CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used. This was fixed with commit ff589ab2. This issue was reported to the Tomcat security...
Fixed in Apache Tomcat 10.1.54
Moderate: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled CVE-2026-34500 CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used. This was fixed with commit 29b56a56. This issue was reported to the Tomcat security...
Fixed in Apache Tomcat 10.1.53
Moderate: The fix forCVE-2025-66614 was incomplete CVE-2026-32990 The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed. This was fixed with commit 4d0615a5. This issue was reported to the Tomcat security team o...
Fixed in Apache Tomcat 11.0.20
Moderate: The fix forCVE-2025-66614 was incomplete CVE-2026-32990 The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed. This was fixed with commit 021d1f83. This issue was reported to the Tomcat security team o...
Fixed in Apache Tomcat 9.0.116
Moderate: The fix forCVE-2025-66614 was incomplete CVE-2026-32990 The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed. This was fixed with commit 95f77782. This issue was reported to the Tomcat security team o...
Fixed in Apache Tomcat Native Connector 2.0.12 / 1.3.5
Moderate: Incomplete OCSP verification checks CVE-2026-24734 When using an OCSP responder, Tomcat Native did complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue was reported to the Tomcat security team on 2 November...
Fixed in Apache Tomcat 10.1.52
Moderate: Incomplete OCSP verification checks CVE-2026-24734 When using an OCSP responder, Tomcat's FFM integration with OpenSSL did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. Affects: 10.1.0-M7 to 10.1.51 This issue...
Fixed in Apache Tomcat 11.0.18
Moderate: Incomplete OCSP verification checks CVE-2026-24734 When using an OCSP responder, Tomcat's FFM integration with OpenSSL did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. Affects: 11.0.0-M1 to 11.0.17 This issue...
Fixed in Apache Tomcat 9.0.115
Moderate: Incomplete OCSP verification checks CVE-2026-24734 When using an OCSP responder, Tomcat's FFM integration with OpenSSL did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. Affects: 9.0.83 to 9.0.114 This issue wa...
Fixed in Apache Tomcat 10.1.50
Low: Security constraint bypass CVE-2026-24733 Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a specification invalid HEAD...
Fixed in Apache Tomcat 11.0.15
Low: Security constraint bypass CVE-2026-24733 Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a specification invalid HEAD...
Fixed in Apache Tomcat 9.0.113
Low: Security constraint bypass CVE-2026-24733 Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a specification invalid HEAD...
Fixed in Apache Tomcat 10.1.47
Low: Delayed cleaning of multipart upload temporary files may lead to DoS CVE-2025-61795 If an error occurred including exceeding limits during the processing of a multipart upload, temporary copies of the uploaded parts written to local storage were not cleaned up immediately but left for the...
Fixed in Apache Tomcat 11.0.12
Low: Delayed cleaning of multipart upload temporary files may lead to DoS CVE-2025-61795 If an error occurred including exceeding limits during the processing of a multipart upload, temporary copies of the uploaded parts written to local storage were not cleaned up immediately but left for the...
Fixed in Apache Tomcat 9.0.110
Low: Delayed cleaning of multipart upload temporary files may lead to DoS CVE-2025-61795 If an error occurred including exceeding limits during the processing of a multipart upload, temporary copies of the uploaded parts written to local storage were not cleaned up immediately but left for the...
Fixed in Apache Tomcat 10.1.45
Low: Console manipulation via escape sequences in log messages CVE-2025-55754 Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a...
Fixed in Apache Tomcat 11.0.11
Low: Console manipulation via escape sequences in log messages CVE-2025-55754 Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a...
Fixed in Apache Tomcat 9.0.109
Low: Console manipulation via escape sequences in log messages CVE-2025-55754 Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a...
Fixed in Apache Tomcat 10.1.44
Important: DoS in HTTP/2 due to client triggered stream reset CVE-2025-48989 Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError. This was fixed with commit 73c04a10. This issue was reported to the ASF...
Fixed in Apache Tomcat 9.0.108
Important: DoS in HTTP/2 due to client triggered stream reset CVE-2025-48989 Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError. This was fixed with commit f36b8a4e. This issue was reported to the ASF...
Fixed in Apache Tomcat 11.0.10
Important: DoS in HTTP/2 due to client triggered stream reset CVE-2025-48989 Tomcat's HTTP/2 implementation was vulnerable to the made you reset attack. The denial of service typically manifested as an OutOfMemoryError. This was fixed with commit f362c8eb. This issue was reported to the ASF...
Fixed in Apache Tomcat 11.0.9
Low: DoS due to overflow in file upload limit CVE-2025-52520 For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. This was fixed with commit a51e4bed. This issue was reported to the Tomcat security team on 7 June...
Fixed in Apache Tomcat 9.0.107
Important: APR/Native Connector crash leading to DoS CVE-2025-52434 A race condition on connection close could trigger a JVM crash when using the APR/Native connector leading to a DoS. This was particularly noticeable with client initiated closes of HTTP/2 connections. This was fixed with commit...
Fixed in Apache Tomcat 10.1.43
Low: DoS due to overflow in file upload limit CVE-2025-52520 For some unlikely configurations of multipart upload, an Integer Overflow vulnerability could lead to a DoS via bypassing of size limits. This was fixed with commit fc42bbcc. This issue was reported to the Tomcat security team on 7 June...
Fixed in Apache Tomcat 9.0.106
Moderate: Session fixation possible via rewrite valve CVE-2025-55668 If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's...
Fixed in Apache Tomcat 11.0.8
Moderate: Session fixation possible via rewrite valve CVE-2025-55668 If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's...
Fixed in Apache Tomcat 10.1.42
Moderate: Session fixation possible via rewrite valve CVE-2025-55668 If the rewrite valve was enabled for a web application, an attacker was able to craft a URL that, if a victim clicked on it, would cause the victim's interaction with that resource to occur in the context of the attacker's...
Fixed in Apache Tomcat 11.0.7
Low: CGI security constraint bypass CVE-2025-46701 When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL. This was...
Fixed in Apache Tomcat 10.1.41
Low: CGI security constraint bypass CVE-2025-46701 When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL. This was...
Fixed in Apache Tomcat 9.0.105
Low: CGI security constraint bypass CVE-2025-46701 When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it was possible to bypass those security constraints with a specially crafted URL. This was...
Fixed in Apache Tomcat 11.0.6
Low: Rewrite rule bypass CVE-2025-31651 For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This was fixed with...
Fixed in Apache Tomcat 9.0.104
Note: The issues below were fixed in Apache Tomcat 9.0.103 but the release vote for the 9.0.103 release candidate did not pass. Therefore, although users must download 9.0.104 to obtain a version that includes a fix for these issues, version 9.0.103 is not included in the list of affected version...
Fixed in Apache Tomcat 10.1.40
Low: Rewrite rule bypass CVE-2025-31651 For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This was fixed with...
Fixed in Apache Tomcat 10.1.35
Important: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet - CVE-2025-24813 The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator...
Fixed in Apache Tomcat 9.0.99
Important: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet - CVE-2025-24813 The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator...
Fixed in Apache Tomcat 11.0.3
Important: Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet - CVE-2025-24813 The original implementation of partial PUT used a temporary file based on the user provided file name and path with the path separator...
Fixed in Apache Tomcat 11.0.2
Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - CVE-2024-56337 The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 11.0.2 or later, users running Tomcat on a case insensitive file system with the...
Fixed in Apache Tomcat 10.1.34
Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - CVE-2024-56337 The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 10.1.34 or later, users running Tomcat on a case insensitive file system with th...
Fixed in Apache Tomcat 9.0.98
Important: Remote Code Execution via write enabled Default Servlet. Mitigation for CVE-2024-50379 was incomplete - CVE-2024-56337 The previous mitigation for CVE-2024-50379 was incomplete. In addition to upgrading to 9.0.98 or later, users running Tomcat on a case insensitive file system with the...
Fixed in Apache Tomcat 10.1.33
Note: The issue below was fixed in Apache Tomcat 10.1.32 but the release vote for the 10.1.32 release candidate did not pass. Therefore, although users must download 10.1.33 to obtain a version that includes a fix for these issues, version 10.1.32 is not included in the list of affected versions...
Fixed in Apache Tomcat 11.0.1
Important: XSS in generated JSPs CVE-2024-52318 The fix for improvement 69333 caused pooled JSP tags not to be released after use which in turn could cause output of some tags not to escaped as expected. This unescaped output could lead to XSS. This was fixed with commit 8d1fc473. This issue was...
Fixed in Apache Tomcat 9.0.97
Important: XSS in generated JSPs CVE-2024-52318 The fix for improvement 69333 caused pooled JSP tags not to be released after use which in turn could cause output of some tags not to escaped as expected. This unescaped output could lead to XSS. This was fixed with commit 9813c5dd. This issue was...
Fixed in Apache Tomcat 10.1.31
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 146f94f8. This issue was identified by the Tomcat Security Team on 1 October 2024...
Fixed in Apache Tomcat 11.0.0
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 9e840cca. This issue was identified by the Tomcat Security Team on 1 October 2024...
Fixed in Apache Tomcat 9.0.96
Important: Request and/or response mix-up CVE-2024-52317 Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This was fixed with commit 47307ee2. This issue was identified by the Tomcat Security Team on 1 October 2024...