VYPR

rpm package

suse/tomcat&distro=SUSE Linux Enterprise Server 15 SP1-LTSS

pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS

Vulnerabilities (16)

  • CVE-2023-46589HigNov 28, 2023
    affected < 9.0.36-150100.4.105.1fixed 9.0.36-150100.4.105.1

    Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header si

  • CVE-2023-45648MedOct 10, 2023
    affected < 9.0.36-150100.4.98.1fixed 9.0.36-150100.4.98.1

    Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header

  • CVE-2023-42795MedOct 10, 2023
    affected < 9.0.36-150100.4.98.1fixed 9.0.36-150100.4.98.1

    Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part

  • CVE-2023-41080MedAug 25, 2023
    affected < 9.0.36-150100.4.98.1fixed 9.0.36-150100.4.98.1

    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E

  • CVE-2023-28709HigMay 22, 2023
    affected < 9.0.36-150100.4.93.1fixed 9.0.36-150100.4.93.1

    The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a

  • CVE-2023-28708MedMar 22, 2023
    affected < 9.0.36-150100.4.90.1fixed 9.0.36-150100.4.90.1

    When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not i

  • CVE-2023-24998HigFeb 20, 2023
    affected < 9.0.36-150100.4.87.1fixed 9.0.36-150100.4.87.1

    Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur

  • CVE-2022-42252HigNov 1, 2022
    affected < 9.0.36-150100.4.81.1fixed 9.0.36-150100.4.81.1

    If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len

  • CVE-2021-43980LowSep 28, 2022
    affected < 9.0.36-150100.4.81.1fixed 9.0.36-150100.4.81.1

    The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and

  • CVE-2022-23181HigJan 27, 2022
    affected < 9.0.36-4.70.1fixed 9.0.36-4.70.1

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tom

  • CVE-2021-41079HigSep 16, 2021
    affected < 9.0.36-4.63.1fixed 9.0.36-4.63.1

    Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a den

  • CVE-2021-33037MedJul 12, 2021
    affected < 9.0.36-4.63.1fixed 9.0.36-4.63.1

    Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ign

  • CVE-2021-30640MedJul 12, 2021
    affected < 9.0.36-4.63.1fixed 9.0.36-4.63.1

    A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.

  • CVE-2021-25329HigMar 1, 2021
    affected < 9.0.36-4.58.1fixed 9.0.36-4.58.1

    The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note tha

  • CVE-2021-25122HigMar 1, 2021
    affected < 9.0.36-4.58.1fixed 9.0.36-4.58.1

    When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results

  • CVE-2021-24122MedJan 14, 2021
    affected < 9.0.36-4.58.1fixed 9.0.36-4.58.1

    When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpec