Maven package
org.apache.tomcat/tomcat-util
pkg:maven/org.apache.tomcat/tomcat-util
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-52434 | — | >= 9.0.0.M1, < 9.0.107 | 9.0.107 | Jul 10, 2025 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: | ||
| CVE-2024-38286 | — | >= 11.0.0-M1, < 11.0.0-M21 | 11.0.0-M21 | Nov 7, 2024 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created | ||
| CVE-2023-42795 | — | >= 11.0.0-M1, < 11.0.0-M12 | 11.0.0-M12 | Oct 10, 2023 | Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part | ||
| CVE-2022-45143 | — | >= 8.5.83, < 8.5.84 | 8.5.84 | Jan 3, 2023 | The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that inv | ||
| CVE-2016-8745 | Hig | 7.5 | >= 9.0.0.M1, < 9.0.0.M14 | 9.0.0.M14 | Aug 10, 2017 | A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple time | |
| CVE-2014-0099 | — | < 6.0.40 | 6.0.40 | May 31, 2014 | Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header |
- CVE-2025-52434Jul 10, 2025affected >= 9.0.0.M1, < 9.0.107fixed 9.0.107
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat:
- CVE-2024-38286Nov 7, 2024affected >= 11.0.0-M1, < 11.0.0-M21fixed 11.0.0-M21
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created
- CVE-2023-42795Oct 10, 2023affected >= 11.0.0-M1, < 11.0.0-M12fixed 11.0.0-M12
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
- CVE-2022-45143Jan 3, 2023affected >= 8.5.83, < 8.5.84fixed 8.5.84
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that inv
- affected >= 9.0.0.M1, < 9.0.0.M14fixed 9.0.0.M14
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple time
- CVE-2014-0099May 31, 2014affected < 6.0.40fixed 6.0.40
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header