345 matches found
Fixed in Apache Tomcat 8.5.32
Important: Information Disclosure CVE-2018-8037 If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present...
Fixed in Apache Tomcat 10.1.6
Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...
Fixed in Apache Tomcat 7.0.99
Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...
Fixed in Apache Tomcat 9.0.0.M13
Note: The issues below were fixed in Apache Tomcat 9.0.0.M12 but the release vote for the 9.0.0.M12 release candidate did not pass. Therefore, although users must download 9.0.0.M13 to obtain a version that includes fixes for these issues, version 9.0.0.M12 is not included in the list of affected...
Fixed in Apache Tomcat 7.0.52
Note: The issue below was fixed in Apache Tomcat 7.0.51 but the release vote for the 7.0.51 release candidate did not pass. Therefore, although users must download 7.0.52 to obtain a version that includes a fix for this issue, version 7.0.51 is not included in the list of affected versions...
Fixed in Apache Tomcat 8.5.86
Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...
Fixed in Apache Tomcat 9.0.21
Important: Request mix-up CVE-2022-25762 If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a...
Fixed in Apache Tomcat 9.0.10
Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833757. This issue was reported publicly on 11 June 2018 and formally announced as a...
Fixed in Apache Tomcat 9.0.37
Important: WebSocket DoS CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. This was fixed with commit 40fa74c7. This issue wa...
Fixed in Apache Tomcat 8.0.3
Note: The issue below was fixed in Apache Tomcat 8.0.2 but the release vote for the 8.0.2 release candidates did not pass. Therefore, although users must download 8.0.3 to obtain a version that includes a fix for this issue, version 8.0.2 is not included in the list of affected versions. Importan...
Fixed in Apache Tomcat 8.5.78
High: Information Disclosure CVE-2021-43980 The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing but extremely hard to trigger concurrency bug that could cause client connections to share an...
Fixed in Apache Tomcat 7.0.73
Important: Remote Code Execution CVE-2016-8735 The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as...
Fixed in Apache Tomcat 6.0.53
Important: Information Disclosure CVE-2017-5647 A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong...
Fixed in Apache Tomcat 8.5.34
Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...
Fixed in Apache Tomcat 6.0.14
Low: Cross-site scripting CVE-2007-2449 JSPs within the examples web application did not escape user provided data before including it in the output. This enabled a XSS attack. These JSPs now filter the data before use. This issue may be mitigated by undeploying the examples web application. Note...
Fixed in Apache Tomcat 9.0.65
Low: Apache Tomcat XSS in examples web application CVE-2022-34305 The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. This was fixed with commit 8b60af90. This issue was reported to the Apache Tomcat Securit...
Fixed in Apache Tomcat 8.5.66
Low: Authentication weakness CVE-2021-30640 Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data eg user names as well as configuration data provided by an administrator. In limited circumstances it was possible for...
Fixed in Apache Tomcat 8.5.68
Note: The issue below was fixed in Apache Tomcat 8.5.67 but the release vote for the 8.5.67 release candidate did not pass. Therefore, although users must download 8.5.68 to obtain a version that includes a fix for this issue, version 8.5.67 is not included in the list of affected versions...
Fixed in Apache Tomcat 7.0.82
Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...
Fixed in Apache Tomcat 5.5.28
Important: Information Disclosure CVE-2008-5515 When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be...
Fixed in Apache Tomcat 10.1.25
Important: Denial of Service CVE-2024-34750 When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain...
Fixed in Apache Tomcat 9.0.9
Low: CORS filter has insecure defaults CVE-2018-8014 The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...
Fixed in Apache Tomcat 8.5.31
Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830374. This issue was reported publicly on 6...
Fixed in Apache Tomcat 7.0.79
Moderate: Cache Poisoning CVE-2017-7674 The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. This was fixed in revision 1795816. The issue was reported as bug 61101 on ...
Fixed in Apache Tomcat 8.5.13
Important: Information Disclosure CVE-2017-5651 The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could resu...
Fixed in Apache Tomcat 8.5.12
Low: Information Disclosure CVE-2017-5648 While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to...
Fixed in Apache Tomcat 6.0.18
Note: These issues were fixed in Apache Tomcat 6.0.17 but the release vote for that release candidate did not pass. Therefore, although users must download 6.0.18 to obtain a version that includes fixes for these issues, 6.0.17 is not included in the list of affected versions. Low: Cross-site...
Fixed in Apache Tomcat 10.1.5
Important: Apache Tomcat denial of service CVE-2023-24998 Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload...
Fixed in Apache Tomcat 8.0.17
Note: The issue below was fixed in Apache Tomcat 8.0.16 but the release vote for the 8.0.16 release candidate did not pass. Therefore, although users must download 8.0.17 to obtain a version that includes a fix for this issue, version 8.0.16 is not included in the list of affected versions...
Fixed in Apache Tomcat 9.0.74
Moderate: Apache Tomcat denial of service CVE-2023-28709 The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount...
Fixed in Apache Tomcat 8.5.28
Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...
Fixed in Apache Tomcat 9.0.1
Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...
Fixed in Apache Tomcat 8.5.38
Important: Denial of Service CVE-2019-0199 The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's...
Fixed in Apache Tomcat 9.0.0.M18
Low: Information Disclosure CVE-2017-5648 While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to...
Fixed in Apache Tomcat 9.0.0.M8
Note: The issue below was fixed in Apache Tomcat 9.0.0.M7 but the release vote for the 9.0.0.M7 release candidate did not pass. Therefore, although users must download 9.0.0.M8 to obtain a version that includes fixes for these issues, version 9.0.0.M7 is not included in the list of affected...
Fixed in Apache Tomcat 7.0.108
Low: Fix forCVE-2020-9484 was incomplete CVE-2021-25329 The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the...
Fixed in Apache Tomcat 6.0.43
Note: The issue below was fixed in Apache Tomcat 6.0.42 but the release vote for the 6.0.42 release candidate did not pass. Therefore, although users must download 6.0.43 to obtain a version that includes a fix for this issue, version 6.0.42 is not included in the list of affected versions...
Fixed in Apache Tomcat 11.0.0-M3
Important: Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in th...
Fixed in Apache Tomcat 7.0.105
Important: WebSocket DoS CVE-2020-13935 The payload length in a WebSocket frame was not correctly validated. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service. This was fixed with commits f9f75c14 and 4c049828...
Fixed in Apache Tomcat 5.5.36
Moderate: DIGEST authentication weakness CVE-2012-3439 Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved: 1. Tomcat tracked client rather than server nonces and nonce count. 2. When a session ID was present, authentication was bypassed. 3. The user...
Fixed in Apache Tomcat 11.0.0-M5
Moderate: Apache Tomcat denial of service CVE-2023-28709 The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount...
Fixed in Apache Tomcat 10.0.23
Low: Apache Tomcat XSS in examples web application CVE-2022-34305 The Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. This was fixed with commit 1a7e95d9. This issue was reported to the Apache Tomcat Securit...
Fixed in Apache Tomcat 6.0.44
Low: Denial of Service CVE-2014-0230 When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the...
Fixed in Apache Tomcat 10.1.0-M10
Note: The issue below was fixed in Apache Tomcat 10.1.0-M9 but the release vote for the 10.1.0-M9 release candidate did not pass. Therefore, although users must download 10.1.0-M10 to obtain a version that includes a fix for these issues, version 10.1.0-M9 is not included in the list of affected...
Fixed in Apache Tomcat 8.5.63
Note: The issues below were fixed in Apache Tomcat 8.5.62 but the release vote for the 8.5.62 release candidate did not pass. Therefore, although users must download 8.5.63 to obtain a version that includes a fix for these issues, version 8.5.62 is not included in the list of affected versions...
Fixed in Apache Tomcat 8.5.50
Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...
Fixed in Apache Tomcat 5.5.23, 5.0.SVN
Important: Information disclosure CVE-2005-2090 Requests with multiple content-length headers should be rejected as invalid. When multiple components firewalls, caches, proxies and Tomcat process a sequence of requests where one or more requests contain multiple content-length headers and several...
Fixed in Apache Tomcat 10.1.14
Important: Request smuggling CVE-2023-45648 Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. This was fixe...
Fixed in Apache Tomcat 9.0.48
Note: The issue below was fixed in Apache Tomcat 9.0.47 but the release vote for the 9.0.47 release candidate did not pass. Therefore, although users must download 9.0.48 to obtain a version that includes a fix for this issue, version 9.0.47 is not included in the list of affected versions...
Fixed in Apache Tomcat 8.5.49
Note: The issue below was fixed in Apache Tomcat 8.0.48 but the release vote for the 8.0.48 release candidate did not pass. Therefore, although users must download 8.0.49 to obtain a version that includes the fix for this issue, version 8.0.48 is not included in the list of affected versions...