org.apache.tomcat:tomcat-catalina@11.0.0-M11 vulnerabilities

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.

NOTE: After upgrading to the fixed version, the setFileCountMax() must be explicitly set to avoid this vulnerability.

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.