VYPR

rpm package

suse/tomcat&distro=SUSE Linux Enterprise Server for SAP Applications 12 SP5

pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5

Vulnerabilities (34)

  • CVE-2024-38286Nov 7, 2024
    affected < 9.0.36-3.130.1fixed 9.0.36-3.130.1

    Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created

  • CVE-2024-34750Jul 3, 2024
    affected < 9.0.36-3.127.1fixed 9.0.36-3.127.1

    Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn

  • CVE-2024-23672Mar 13, 2024
    affected < 9.0.36-3.124.1fixed 9.0.36-3.124.1

    Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through

  • CVE-2024-24549Mar 13, 2024
    affected < 9.0.36-3.124.1fixed 9.0.36-3.124.1

    Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers ha

  • CVE-2024-21733Jan 19, 2024
    affected < 9.0.36-3.121.1fixed 9.0.36-3.121.1

    Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Other, EOL versions may also be affected. Users are recommended to upgrade to version 8.5.64 on

  • CVE-2023-46589Nov 28, 2023
    affected < 9.0.36-3.118.1fixed 9.0.36-3.118.1

    Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header si

  • CVE-2023-45648Oct 10, 2023
    affected < 9.0.36-3.111.1fixed 9.0.36-3.111.1

    Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header

  • CVE-2023-42795Oct 10, 2023
    affected < 9.0.36-3.111.1fixed 9.0.36-3.111.1

    Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some part

  • CVE-2023-41080Aug 25, 2023
    affected < 9.0.36-3.108.1fixed 9.0.36-3.108.1

    URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. Older, E

  • CVE-2023-28709May 22, 2023
    affected < 9.0.36-3.105.1fixed 9.0.36-3.105.1

    The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a

  • CVE-2023-28708Mar 22, 2023
    affected < 9.0.36-3.102.1fixed 9.0.36-3.102.1

    When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not i

  • CVE-2023-24998Feb 20, 2023
    affected < 9.0.36-3.99.1fixed 9.0.36-3.99.1

    Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configur

  • CVE-2022-42252Nov 1, 2022
    affected < 9.0.36-3.93.1fixed 9.0.36-3.93.1

    If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Len

  • CVE-2021-43980Sep 28, 2022
    affected < 9.0.36-3.90.1fixed 9.0.36-3.90.1

    The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and

  • CVE-2022-23181Jan 27, 2022
    affected < 9.0.36-3.84.1fixed 9.0.36-3.84.1

    The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tom

  • CVE-2021-41079Sep 16, 2021
    affected < 9.0.36-3.71.1fixed 9.0.36-3.71.1

    Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a den

  • CVE-2021-33037Jul 12, 2021
    affected < 9.0.36-3.71.1fixed 9.0.36-3.71.1

    Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ign

  • CVE-2021-30640Jul 12, 2021
    affected < 9.0.36-3.71.1fixed 9.0.36-3.71.1

    A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.

  • CVE-2021-25329Mar 1, 2021
    affected < 9.0.36-3.64.1fixed 9.0.36-3.64.1

    The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note tha

  • CVE-2021-25122Mar 1, 2021
    affected < 9.0.36-3.64.1fixed 9.0.36-3.64.1

    When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results

Page 1 of 2