Homepage
About Snyk

org.apache.tomcat:tomcat-catalina@8.5.91 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Improper Input Validation

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

[8.5.0,8.5.96) [9.0.0-M1,9.0.83) [10.1.0-M1,10.1.16) [11.0.0-M1,11.0.0-M10)
  • M
Incomplete Cleanup

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[8.5.0,8.5.94) [9.0.0-M1,9.0.81) [10.1.0-M1,10.1.14) [11.0.0-M1,11.0.0-M12)
  • M
Incomplete Cleanup

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Incomplete Cleanup in the internal fork of Commons FileUpload package. An attacker can potentially cause a denial of service on Windows by opening a stream for an uploaded file but failing to close the stream. This results in the file never being deleted from the disk, creating the possibility of an eventual denial of service due to the disk being full.

Note:

This vulnerability is exploitable on Windows operating systems.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.94, 9.0.81 or higher.

[8.5.85,8.5.94) [9.0.70,9.0.81)
  • M
Access Restriction Bypass

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

[8.5.0,8.5.93) [9.0.0-M1,9.0.80) [10.1.0-M1,10.1.13) [11.0.0-M1,11.0.0-M11)
Go back to all versions of this package