Fixed in Apache Tomcat 9.0.31

Important: AJP Request Injection and potential Remote Code Execution CVE-2020-1938 When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. I...

Fixed in Apache Tomcat 8.5.8

Note: The issues below were fixed in Apache Tomcat 8.5.7 but the release vote for the 8.5.7 release candidate did not pass. Therefore, although users must download 8.5.8 to obtain a version that includes fixes for these issues, version 8.5.7 is not included in the list of affected versions...

Fixed in Apache Tomcat 9.0.54

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

Fixed in Apache Tomcat 8.5.40

Important: Remote Code Execution on Windows CVE-2019-0232 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. For a...

Fixed in Apache Tomcat 7.0.109

Low: Authentication weakness CVE-2021-30640 Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data eg user names as well as configuration data provided by an administrator. In limited circumstances it was possible for...

Fixed in Apache Tomcat 9.0.19

Note: The issues below were fixed in Apache Tomcat 9.0.18 but the release vote for the 9.0.18 release candidate did not pass. Therefore, although users must download 9.0.19 to obtain a version that includes a fix for these issues, version 9.0.18 is not included in the list of affected versions...

Fixed in Apache Tomcat 9.0.58

Note: The issue below was fixed in Apache Tomcat 9.0.57 but the release vote for the 9.0.57 release candidate did not pass. Therefore, although users must download 9.0.58 to obtain a version that includes a fix for these issues, version 9.0.57 is not included in the list of affected versions. Low...

Fixed in Apache Tomcat 8.5.93

Moderate: Open redirect CVE-2023-41080 If the ROOT default web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. This was fixed with commit 4998ad74. This issue was reported ...

Fixed in Apache Tomcat 7.0.94

Important: Remote Code Execution on Windows CVE-2019-0232 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. For a...

Fixed in Apache Tomcat 9.0.72

Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...

Fixed in Apache Tomcat 8.5.76

Important: Request mix-up CVE-2022-25762 If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a...

Fixed in Apache Tomcat 9.0.43

Note: The issues below were fixed in Apache Tomcat 9.0.42 but the release vote for the 9.0.42 release candidate did not pass. Therefore, although users must download 9.0.43 to obtain a version that includes a fix for these issues, version 9.0.42 is not included in the list of affected versions...

Fixed in Apache Tomcat 8.5.72

Important: Denial of Service CVE-2021-42340 The fix for bug 63362 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the WebSocket connection was closed. This created a memory leak that, over time, could...

Fixed in Apache Tomcat 8.5.85

Important: Apache Tomcat denial of service CVE-2023-24998 Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload...

Fixed in Apache Tomcat 7.0.100

High: AJP Request Injection and potential Remote Code Execution CVE-2020-1938 When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If suc...

Fixed in Apache Tomcat 8.0.53

Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833759. This issue was reported publicly on 11 June 2018 and formally announced as a...

Fixed in Apache Tomcat 9.0.38

Moderate: HTTP/2 request mix-up CVE-2020-13943 If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection in violation of the HTTP/2 protocol, it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo...

Fixed in Apache Tomcat 8.5.51

Important: AJP Request Injection and potential Remote Code Execution CVE-2020-1938 When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. I...

Fixed in Apache Tomcat 9.0.81

Important: Request smuggling CVE-2023-45648 Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. This was fixe...

Fixed in Apache Tomcat 9.0.69

Low: Apache Tomcat JsonErrorReportValve injection CVE-2022-45143 The JsonErrorReportValve did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or...

Fixed in Apache Tomcat 8.5.79

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does...

Fixed in Apache Tomcat 8.5.88

Moderate: Apache Tomcat denial of service CVE-2023-28709 The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount...

Fixed in Apache Tomcat 8.0.47

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

Fixed in Apache Tomcat 9.0.86

Important: Denial of Service CVE-2024-23672 It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption. This was fixed with commit 52d6650e. This issue was identified by the Tomcat Security Team on 17 January 2024. The issue was made publi...

Fixed in Apache Tomcat 8.5.96

Important: Request smuggling CVE-2023-46589 Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a...

Fixed in Apache Tomcat 8.5.75

Note: The issue below was fixed in Apache Tomcat 8.5.74 but the release vote for the 8.5.74 release candidate did not pass. Therefore, although users must download 8.5.75 to obtain a version that includes a fix for these issues, version 8.5.74 is not included in the list of affected versions. Low...

Fixed in Apache Tomcat 9.0.63

Low: Apache Tomcat EncryptInterceptor DoS CVE-2022-29885 The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does...

Fixed in Apache Tomcat 9.0.80

Moderate: Open redirect CVE-2023-41080 If the ROOT default web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. This was fixed with commit 77c0ce2d. This issue was reported ...

Fixed in Apache Tomcat 9.0.35

Important: Remote Code Execution via session persistence CVE-2020-9484 If: an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with...

Fixed in Apache Tomcat 9.0.62

Note: The issue below was fixed in Apache Tomcat 9.0.61 but the release vote for the 9.0.61 release candidate did not pass. Therefore, although users must download 9.0.62 to obtain a version that includes a fix for these issues, version 9.0.61 is not included in the list of affected versions. Hig...

Fixed in Apache Tomcat 9.0.12

Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...

Fixed in Apache Tomcat 10.1.19

Important: Denial of Service CVE-2024-23672 It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption. This was fixed with commit 0052b374. This issue was identified by the Tomcat Security Team on 17 January 2024. The issue was made publi...

Fixed in Apache Tomcat 8.0.39

Important: Remote Code Execution CVE-2016-8735 The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as...

Fixed in Apache Tomcat 10.1.13

Moderate: Open redirect CVE-2023-41080 If the ROOT default web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. This was fixed with commit bb4624a9. This issue was reported ...

Fixed in Apache Tomcat 9.0.29

Moderate: Local Privilege Escalation CVE-2019-12418 When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and...

Fixed in Apache Tomcat 4.1.36

Important: Information disclosure CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components firewalls, caches, proxies and Tomcat process a sequence of requests where one or more requests contain multiple content-length headers and several...

Fixed in Apache Tomcat 8.5.94

Important: Request smuggling CVE-2023-45648 Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. This was fixe...

Fixed in Apache Tomcat 8.5.57

Important: WebSocket DoS CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. This was fixed with commit 12d71567. This issue wa...

Fixed in Apache Tomcat 6.0.48

Important: Remote Code Execution CVE-2016-8735 The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as...

Fixed in Apache Tomcat 8.5.99

Important: Denial of Service CVE-2024-23672 It was possible for a WebSocket client to keep a WebSocket connection open leading to increased resource consumption. This was fixed with commit 3631adb1. This issue was identified by the Tomcat Security Team on 17 January 2024. The issue was made publi...

Fixed in Apache Tomcat 9.0.40

Important: Information disclosure CVE-2021-24122 When serving resources from a network location using the NTFS file system it was possible to bypass security constraints and/or view the source code for JSPs in some configurations. The root cause was the unexpected behaviour of the JRE API...

Fixed in Apache Tomcat 9.0.30

Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...

Fixed in Apache Tomcat 8.5.23

Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...

Fixed in Apache Tomcat 8.5.3 and 8.0.36

Moderate: Denial of Service CVE-2016-3092 Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the...

Fixed in Apache Tomcat 9.0.68

Low: Apache Tomcat request smuggling CVE-2022-42252 If Tomcat was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false not the default, Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat wa...

Fixed in Apache Tomcat 10.0.16

Note: The issue below was fixed in Apache Tomcat 10.0.15 but the release vote for the 10.0.15 release candidate did not pass. Therefore, although users must download 10.0.16 to obtain a version that includes a fix for these issues, version 10.0.15 is not included in the list of affected versions...

Fixed in Apache Tomcat 7.0.90

Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833760. This issue was reported publicly on 11 June 2018 and formally announced as a...

Fixed in Apache Tomcat 10.1.6

Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...

Fixed in Apache Tomcat 9.0.46

Low: Authentication weakness CVE-2021-30640 Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data eg user names as well as configuration data provided by an administrator. In limited circumstances it was possible for...

Fixed in Apache Tomcat 7.0.99

Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...