339 matches found
Fixed in Apache Tomcat 9.0.31
Important: AJP Request Injection and potential Remote Code Execution CVE-2020-1938 When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. I...
Fixed in Apache Tomcat 7.0.99
Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...
Fixed in Apache Tomcat 8.5.50
Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...
Fixed in Apache Tomcat 9.0.30
Low: Session fixation CVE-2019-17563 When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a securit...
Fixed in Apache Tomcat 9.0.29
Moderate: Local Privilege Escalation CVE-2019-12418 When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and...
Fixed in Apache Tomcat 8.5.49
Note: The issue below was fixed in Apache Tomcat 8.0.48 but the release vote for the 8.0.48 release candidate did not pass. Therefore, although users must download 8.0.49 to obtain a version that includes the fix for this issue, version 8.0.48 is not included in the list of affected versions...
Fixed in Apache Tomcat 9.0.21
Important: Request mix-up CVE-2022-25762 If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a...
Fixed in Apache Tomcat 9.0.20
Important: Denial of Service CVE-2019-10072 The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOWUPDATE messages for the connection window stream 0 clients were able to cause server-side threads to block eventually leading...
Fixed in Apache Tomcat 8.5.41
Important: Denial of Service CVE-2019-10072 The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOWUPDATE messages for the connection window stream 0 clients were able to cause server-side threads to block eventually leading...
Fixed in Apache Tomcat 9.0.19
Note: The issues below were fixed in Apache Tomcat 9.0.18 but the release vote for the 9.0.18 release candidate did not pass. Therefore, although users must download 9.0.19 to obtain a version that includes a fix for these issues, version 9.0.18 is not included in the list of affected versions...
Fixed in Apache Tomcat 7.0.94
Important: Remote Code Execution on Windows CVE-2019-0232 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. For a...
Fixed in Apache Tomcat 8.5.40
Important: Remote Code Execution on Windows CVE-2019-0232 When running on Windows with enableCmdLineArguments enabled, the CGI Servlet is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. For a...
Fixed in Apache Tomcat 9.0.16
Note: The issue below was fixed in Apache Tomcat 9.0.15 but the release vote for the 9.0.15 release candidate did not pass. Therefore, although users must download 9.0.16 to obtain a version that includes a fix for these issues, version 9.0.15 is not included in the list of affected versions...
Fixed in Apache Tomcat 8.5.38
Important: Denial of Service CVE-2019-0199 The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's...
Fixed in Apache Tomcat JK Connector 1.2.46
Note: The issue below was fixed in Apache Tomcat JK Connector 1.2.45 but the release vote for the 1.2.45 release candidate did not pass. Therefore, although users must download 1.2.46 to obtain a version that includes the fix for this issue, version 1.2.45 is not included in the list of affected...
Fixed in Apache Tomcat 7.0.91
Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...
Fixed in Apache Tomcat 8.5.34
Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...
Fixed in Apache Tomcat 9.0.12
Moderate: Open Redirect CVE-2018-11784 When the default servlet returned a redirect to a directory e.g. redirecting to /foo/ when the user requested /foo a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. This was fixed in revision...
Fixed in Apache Tomcat Native Connector 1.2.17
Moderate: Mishandled OCSP invalid response CVE-2018-8019 When using an OCSP responder Tomcat Native did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates...
Fixed in Apache Tomcat 7.0.90
Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833760. This issue was reported publicly on 11 June 2018 and formally announced as a...
Fixed in Apache Tomcat 8.0.53
Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833759. This issue was reported publicly on 11 June 2018 and formally announced as a...
Fixed in Apache Tomcat 8.5.32
Important: Information Disclosure CVE-2018-8037 If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present...
Fixed in Apache Tomcat 9.0.10
Low: host name verification missing in WebSocket client CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. This was fixed in revision 1833757. This issue was reported publicly on 11 June 2018 and formally announced as a...
Fixed in Apache Tomcat 9.0.9
Low: CORS filter has insecure defaults CVE-2018-8014 The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...
Fixed in Apache Tomcat 7.0.89
Low: CORS filter has insecure defaults CVE-2018-8014 The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default...
Fixed in Apache Tomcat 7.0.88
Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830376. This issue was reported publicly on 6...
Fixed in Apache Tomcat 8.0.52
Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830375. This issue was reported publicly on 6...
Fixed in Apache Tomcat 8.5.31
Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830374. This issue was reported publicly on 6...
Fixed in Apache Tomcat 9.0.8
Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. This was fixed in revision 1830373. This issue was reported publicly on 6...
Fixed in Apache Tomcat JK Connector 1.2.43
Important: Information disclosure CVE-2018-1323 The IIS/ISAPI specific code that normalised the requested path before matching it to the URI-worker map did not handle some edge cases correctly. If only a sub-set of the URLs supported by Tomcat were exposed via IIS, then it was possible for a...
Fixed in Apache Tomcat 7.0.85
Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...
Fixed in Apache Tomcat 8.0.50
Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...
Fixed in Apache Tomcat 8.5.28
Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...
Fixed in Apache Tomcat 9.0.5
Important: Security constraint annotations applied too late CVE-2018-1305 Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was...
Fixed in Apache Tomcat Native Connector 1.2.16
Note: The issue below was fixed in Apache Tomcat Native Connector 1.2.15 but the release vote for the 1.2.15 release candidate did not pass. Therefore, although users must download 1.2.16 to obtain a version that includes the fix for this issue, version 1.2.15 is not included in the list of...
Fixed in Apache Tomcat 7.0.84
Low: Incorrectly documented CGI search algorithm CVE-2017-15706 Note: The issue below was fixed in Apache Tomcat 7.0.83 but the release vote for the 7.0.83 release candidate did not pass. Therefore, although users must download 7.0.84 to obtain a version that includes the fix for this issue,...
Fixed in Apache Tomcat 8.0.48
Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...
Fixed in Apache Tomcat 9.0.2
Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...
Fixed in Apache Tomcat 8.5.24
Low: Incorrectly documented CGI search algorithm CVE-2017-15706 As part of the fix for bug 61201, the description of the search algorithm used by the CGI Servlet to identify which script to execute was updated. The update was not correct. As a result, some scripts may have failed to execute as...
Fixed in Apache Tomcat 8.0.47
Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...
Fixed in Apache Tomcat 7.0.82
Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...
Fixed in Apache Tomcat 8.5.23
Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...
Fixed in Apache Tomcat 9.0.1
Important: Remote Code Execution CVE-2017-12617 When running with HTTP PUTs enabled e.g. via setting the readonly initialisation parameter of the Default servlet to false it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any...
Fixed in Apache Tomcat 7.0.81
Important: Information Disclosure CVE-2017-12616 When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. This was fixed in revision 1804729. This issue was...
Fixed in Apache Tomcat 7.0.79
Moderate: Cache Poisoning CVE-2017-7674 The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. This was fixed in revision 1795816. The issue was reported as bug 61101 on ...
Fixed in Apache Tomcat 8.0.45
Moderate: Cache Poisoning CVE-2017-7674 The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. This was fixed in revision 1795815. The issue was reported as bug 61101 on ...
Fixed in Apache Tomcat 8.5.16
Important: Security Constraint Bypass CVE-2017-7675 The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using an specially crafted URL. This was fixed in revision 1796091. The issue was...
Fixed in Apache Tomcat 9.0.0.M22
Important: Security Constraint Bypass CVE-2017-7675 The HTTP/2 implementation bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using an specially crafted URL. This was fixed in revision 1796090. The issue was...
Fixed in Apache Tomcat 7.0.78
Important: Security Constraint Bypass CVE-2017-5664 The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the...
Fixed in Apache Tomcat 8.0.44
Important: Security Constraint Bypass CVE-2017-5664 The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the...