rpm package
suse/tomcat&distro=SUSE Linux Enterprise Server 12 SP5-LTSS
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5-LTSS
Vulnerabilities (53)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-48988 | — | < 9.0.36-3.145.1 | 9.0.36-3.145.1 | Jun 16, 2025 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created bu | ||
| CVE-2025-46701 | — | < 9.0.36-3.145.1 | 9.0.36-3.145.1 | May 29, 2025 | Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, | ||
| CVE-2025-31651 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Apr 28, 2025 | Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security | ||
| CVE-2025-24813 | — | KEV | < 9.0.36-3.139.1 | 9.0.36-3.139.1 | Mar 10, 2025 | Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from | |
| CVE-2024-54677 | — | < 9.0.36-3.136.1 | 9.0.36-3.136.1 | Dec 17, 2024 | Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following ve | ||
| CVE-2024-50379 | — | < 9.0.36-3.136.1 | 9.0.36-3.136.1 | Dec 17, 2024 | Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 thr | ||
| CVE-2024-52316 | — | < 9.0.36-3.133.1 | 9.0.36-3.133.1 | Nov 18, 2024 | Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indic | ||
| CVE-2024-38286 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Nov 7, 2024 | Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created | ||
| CVE-2024-34750 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Jul 3, 2024 | Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn | ||
| CVE-2024-23672 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Mar 13, 2024 | Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through | ||
| CVE-2024-24549 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Mar 13, 2024 | Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha | ||
| CVE-2024-21733 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Jan 19, 2024 | Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on | ||
| CVE-2023-46589 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Nov 28, 2023 | Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header si | ||
| CVE-2023-45468 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Oct 13, 2023 | Netis N3Mv2-V1.0.1.865 was discovered to contain a buffer overflow via the pingWdogIp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input. | ||
| CVE-2023-42795 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Oct 10, 2023 | Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part | ||
| CVE-2023-44487 | Hig | 7.5 | KEV | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Oct 10, 2023 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
| CVE-2023-41080 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Aug 25, 2023 | URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E | ||
| CVE-2023-28709 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | May 22, 2023 | The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a | ||
| CVE-2023-28708 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Mar 22, 2023 | When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not i | ||
| CVE-2023-24998 | — | < 9.0.115-3.160.1 | 9.0.115-3.160.1 | Feb 20, 2023 | Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur |
- CVE-2025-48988Jun 16, 2025affected < 9.0.36-3.145.1fixed 9.0.36-3.145.1
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created bu
- CVE-2025-46701May 29, 2025affected < 9.0.36-3.145.1fixed 9.0.36-3.145.1
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6,
- CVE-2025-31651Apr 28, 2025affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security
- affected < 9.0.36-3.139.1fixed 9.0.36-3.139.1
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from
- CVE-2024-54677Dec 17, 2024affected < 9.0.36-3.136.1fixed 9.0.36-3.136.1
Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97. The following ve
- CVE-2024-50379Dec 17, 2024affected < 9.0.36-3.136.1fixed 9.0.36-3.136.1
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration). This issue affects Apache Tomcat: from 11.0.0-M1 thr
- CVE-2024-52316Nov 18, 2024affected < 9.0.36-3.133.1fixed 9.0.36-3.133.1
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indic
- CVE-2024-38286Nov 7, 2024affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created
- CVE-2024-34750Jul 3, 2024affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn
- CVE-2024-23672Mar 13, 2024affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through
- CVE-2024-24549Mar 13, 2024affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha
- CVE-2024-21733Jan 19, 2024affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on
- CVE-2023-46589Nov 28, 2023affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header si
- CVE-2023-45468Oct 13, 2023affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Netis N3Mv2-V1.0.1.865 was discovered to contain a buffer overflow via the pingWdogIp. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted input.
- CVE-2023-42795Oct 10, 2023affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part
- affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
- CVE-2023-41080Aug 25, 2023affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E
- CVE-2023-28709May 22, 2023affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a
- CVE-2023-28708Mar 22, 2023affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not i
- CVE-2023-24998Feb 20, 2023affected < 9.0.115-3.160.1fixed 9.0.115-3.160.1
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur
Page 2 of 3