Homepage
About Snyk

org.apache.tomcat:tomcat-catalina@8.0.48 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Insecure Defaults

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Insecure Defaults. The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins.

How to fix Insecure Defaults?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.89, 8.0.53, 8.5.32, 9.0.9 or higher.

[,7.0.89) [8.0.0,8.0.53) [8.5.0,8.5.32) [9.0.0,9.0.9)
  • M
Access Restriction Bypass

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Access Restriction Bypass. The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled, this caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.85, 8.0.50, 8.5.28, 9.0.5 or higher.

[7.0.0,7.0.85) [8.0.0.RC1,8.0.50) [8.5.0,8.5.28) [9.0.0.M1,9.0.5)
  • M
Directory Traversal

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Directory Traversal. Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

How to fix Directory Traversal?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.5, 8.5.28, 8.0.50, 7.0.85 or higher.

[9.0.0M1,9.0.5) [8.5.0,8.5.28) [8.0.0RC1,8.0.50) [7.0.0,7.0.85)
  • H
Improper Access Control

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Access Control. It did not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an httpoxy issue.

How to fix Improper Access Control?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.5 or higher.

[7.35,8.5.5)
Go back to all versions of this package