Maven package

org.apache.tomcat.embed/tomcat-embed-core

pkg:maven/org.apache.tomcat.embed/tomcat-embed-core

Vulnerabilities (60)

CVE	Sev	CVSS	KEV	Affected versions	Fixed in	Published	Description
CVE-2024-56337		—		>= 11.0.0-M1, < 11.0.2	11.0.2	Dec 20, 2024	Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but ar
CVE-2024-50379		—		>= 11.0.0-M1, < 11.0.2	11.0.2	Dec 17, 2024	Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 thr
CVE-2024-52317		—		>= 9.0.92, < 9.0.96	9.0.96	Nov 18, 2024	Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from
CVE-2024-34750		—		>= 11.0.0-M1, < 11.0.0-M21	11.0.0-M21	Jul 3, 2024	Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn
CVE-2024-24549		—		>= 8.5.0, < 8.5.99	8.5.99	Mar 13, 2024	Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha
CVE-2024-21733		—		>= 8.5.7, < 8.5.64	8.5.64	Jan 19, 2024	Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on
CVE-2023-46589		—		>= 11.0.0-M1, < 11.0.0-M11	11.0.0-M11	Nov 28, 2023	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header si
CVE-2023-45648		—		>= 11.0.0-M1, < 11.0.0-M12	11.0.0-M12	Oct 10, 2023	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header
CVE-2023-42795		—		>= 11.0.0-M1, < 11.0.0-M12	11.0.0-M12	Oct 10, 2023	Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
CVE-2023-44487	Hig	7.5	KEV	>= 11.0.0-M1, < 11.0.0-M12	11.0.0-M12	Oct 10, 2023	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-41080		—		>= 8.5.0, < 8.5.93	8.5.93	Aug 25, 2023	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E
CVE-2023-34981		—		>= 11.0.0-M5, < 11.0.0-M6	11.0.0-M6	Jun 21, 2023	A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would
CVE-2023-28709		—		>= 11.0.0-M2, < 11.0.0-M5	11.0.0-M5	May 22, 2023	The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a
CVE-2023-24998		—		>= 10.1.0-M1, < 10.1.5	10.1.5	Feb 20, 2023	Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur
CVE-2022-45143		—		>= 8.5.83, < 8.5.84	8.5.84	Jan 3, 2023	The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that inv
CVE-2022-42252		—		>= 8.5.0, < 8.5.83	8.5.83	Nov 1, 2022	If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len
CVE-2021-25329		—		>= 10.0.0-M1, < 10.0.2	10.0.2	Mar 1, 2021	The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note tha
CVE-2021-25122		—		>= 10.0.0, < 10.0.2	10.0.2	Mar 1, 2021	When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results
CVE-2021-24122		—		>= 10.0.0-M1, < 10.0.0-M10	10.0.0-M10	Jan 14, 2021	When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpec
CVE-2020-1938		—	KEV	>= 9.0.0, < 9.0.31	9.0.31	Feb 24, 2020	When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp

CVE-2024-56337Dec 20, 2024
affected >= 11.0.0-M1, < 11.0.2fixed 11.0.2
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The following versions were EOL at the time the CVE was created but ar
CVE-2024-50379Dec 17, 2024
affected >= 11.0.0-M1, < 11.0.2fixed 11.0.2
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 thr
CVE-2024-52317Nov 18, 2024
affected >= 9.0.92, < 9.0.96fixed 9.0.96
Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from
CVE-2024-34750Jul 3, 2024
affected >= 11.0.0-M1, < 11.0.0-M21fixed 11.0.0-M21
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn
CVE-2024-24549Mar 13, 2024
affected >= 8.5.0, < 8.5.99fixed 8.5.99
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha
CVE-2024-21733Jan 19, 2024
affected >= 8.5.7, < 8.5.64fixed 8.5.64
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on
CVE-2023-46589Nov 28, 2023
affected >= 11.0.0-M1, < 11.0.0-M11fixed 11.0.0-M11
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header si
CVE-2023-45648Oct 10, 2023
affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header
CVE-2023-42795Oct 10, 2023
affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
CVE-2023-44487HigKEVOct 10, 2023
affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-41080Aug 25, 2023
affected >= 8.5.0, < 8.5.93fixed 8.5.93
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E
CVE-2023-34981Jun 21, 2023
affected >= 11.0.0-M5, < 11.0.0-M6fixed 11.0.0-M6
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would
CVE-2023-28709May 22, 2023
affected >= 11.0.0-M2, < 11.0.0-M5fixed 11.0.0-M5
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a
CVE-2023-24998Feb 20, 2023
affected >= 10.1.0-M1, < 10.1.5fixed 10.1.5
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur
CVE-2022-45143Jan 3, 2023
affected >= 8.5.83, < 8.5.84fixed 8.5.84
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that inv
CVE-2022-42252Nov 1, 2022
affected >= 8.5.0, < 8.5.83fixed 8.5.83
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len
CVE-2021-25329Mar 1, 2021
affected >= 10.0.0-M1, < 10.0.2fixed 10.0.2
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note tha
CVE-2021-25122Mar 1, 2021
affected >= 10.0.0, < 10.0.2fixed 10.0.2
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results
CVE-2021-24122Jan 14, 2021
affected >= 10.0.0-M1, < 10.0.0-M10fixed 10.0.0-M10
When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpec
CVE-2020-1938KEVFeb 24, 2020
affected >= 9.0.0, < 9.0.31fixed 9.0.31
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exp

Page 2 of 3