VYPR

rpm package

suse/tomcat&distro=SUSE Linux Enterprise High Performance Computing 15 SP1-ESPOS

pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS

Vulnerabilities (9)

  • CVE-2022-42252Nov 1, 2022
    affected < 9.0.36-150100.4.81.1fixed 9.0.36-150100.4.81.1

    If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len

  • CVE-2021-43980Sep 28, 2022
    affected < 9.0.36-150100.4.81.1fixed 9.0.36-150100.4.81.1

    The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and

  • CVE-2022-23181Jan 27, 2022
    affected < 9.0.36-4.70.1fixed 9.0.36-4.70.1

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tom

  • CVE-2021-41079Sep 16, 2021
    affected < 9.0.36-4.63.1fixed 9.0.36-4.63.1

    Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a den

  • CVE-2021-33037Jul 12, 2021
    affected < 9.0.36-4.63.1fixed 9.0.36-4.63.1

    Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ign

  • CVE-2021-30640Jul 12, 2021
    affected < 9.0.36-4.63.1fixed 9.0.36-4.63.1

    A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.

  • CVE-2021-25329Mar 1, 2021
    affected < 9.0.36-4.58.1fixed 9.0.36-4.58.1

    The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note tha

  • CVE-2021-25122Mar 1, 2021
    affected < 9.0.36-4.58.1fixed 9.0.36-4.58.1

    When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results

  • CVE-2021-24122Jan 14, 2021
    affected < 9.0.36-4.58.1fixed 9.0.36-4.58.1

    When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpec