Homepage
About Snyk

org.apache.tomcat:tomcat-catalina@10.0.0-M7 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • L
Information Exposure

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Information Exposure. due to a concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

How to fix Information Exposure?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14 or higher.

[8.5.0,8.5.78) [9.0.0-M1,9.0.62) [10.0.0-M1,10.0.20) [10.1.0-M1,10.1.0-M14)
  • H
Privilege Escalation

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Privilege Escalation via a time of check, time of use vulnerability that allows a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

How to fix Privilege Escalation?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.74, 9.0.57, 10.0.15, 10.1.0-M9 or higher.

[8.5.55,8.5.74) [9.0.0,9.0.57) [10.0.0-M1,10.0.15) [10.1.0-M1,10.1.0-M9)
  • M
Improper Input Validation

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Input Validation. Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (e.g., user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat:tomcat-catalina to version 10.0.6, 9.0.46, 8.5.66, 7.0.109 or higher.

[10.0.0-M1,10.0.6) [9.0.0.M1,9.0.46) [8.5.0,8.5.66) [7.0.0,7.0.109)
  • H
Remote Code Execution (RCE)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.tomcat:tomcat-catalina to version 10.0.2, 9.0.43, 8.5.63, 7.0.108 or higher.

[10.0.0-M1,10.0.2) [9.0.0.M1,9.0.43) [8.5.0,8.5.63) [7.0.0,7.0.108)
Go back to all versions of this package