org.apache.tomcat:tomcat-catalina@8.5.59 vulnerabilities
-
latest version
10.1.24
-
latest non vulnerable version
-
first published
14 years ago
-
latest version published
12 days ago
-
licenses detected
- [0,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade |
[8.5.0,8.5.96)
[9.0.0-M1,9.0.83)
[10.1.0-M1,10.1.16)
[11.0.0-M1,11.0.0-M10)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error. How to fix Incomplete Cleanup? Upgrade |
[8.5.0,8.5.94)
[9.0.0-M1,9.0.81)
[10.1.0-M1,10.1.14)
[11.0.0-M1,11.0.0-M12)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. The vulnerability is limited to the ROOT (default) web application. How to fix Access Restriction Bypass? Upgrade |
[8.5.0,8.5.93)
[9.0.0-M1,9.0.80)
[10.1.0-M1,10.1.13)
[11.0.0-M1,11.0.0-M11)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the How to fix Unprotected Transport of Credentials? Upgrade |
[8.5.0,8.5.86)
[9.0.0-M1,9.0.72)
[10.1.0-M1,10.1.6)
[11.0.0-M1,11.0.0-M3)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload. NOTE: After upgrading to the fixed version, the How to fix Denial of Service (DoS)? Upgrade |
[8.5.0,8.5.85)
[9.0.0-M1,9.0.71)
[10.1.0-M1,10.1.5)
[11.0.0-M1,11.0.0-M3)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Information Exposure.
due to a concurrency bug that could cause client connections to share an How to fix Information Exposure? Upgrade |
[8.5.0,8.5.78)
[9.0.0-M1,9.0.62)
[10.0.0-M1,10.0.20)
[10.1.0-M1,10.1.0-M14)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release. When a web application sends a WebSocket message concurrently with the WebSocket connection closing, the application may continue to use the socket after it has been closed. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. How to fix Improper Resource Shutdown or Release? Upgrade |
[8.5.0,8.5.76)
[9.0.0.M1,9.0.21)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Privilege Escalation via a How to fix Privilege Escalation? Upgrade |
[8.5.55,8.5.74)
[9.0.0,9.0.57)
[10.0.0-M1,10.0.15)
[10.1.0-M1,10.1.0-M9)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Input Validation. Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (e.g., user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm. How to fix Improper Input Validation? Upgrade |
[10.0.0-M1,10.0.6)
[9.0.0.M1,9.0.46)
[8.5.0,8.5.66)
[7.0.0,7.0.109)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. How to fix Remote Code Execution (RCE)? Upgrade |
[10.0.0-M1,10.0.2)
[9.0.0.M1,9.0.43)
[8.5.0,8.5.63)
[7.0.0,7.0.108)
|
org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Information Disclosure. When serving resources from a network location using the NTFS file system, affected versions were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API How to fix Information Disclosure? Upgrade |
[10.0.0-M1,10.0.0-M10)
[9.0.0.M1,9.0.40)
[8.5.0,8.5.60)
[7.0.0,7.0.107)
|