org.apache.tomcat:tomcat-catalina@9.0.0.M19 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • C
Uncaught Exception

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition.

Note:

This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that behaves in this way. According to the maintainers, no such cases are known.

How to fix Uncaught Exception?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.96, 10.1.31, 11.0.0 or higher.

[9.0.0.M1,9.0.96) [10.1.0-M1,10.1.31) [11.0.0-M1,11.0.0)
  • H
Improper Input Validation

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

[8.5.0,8.5.96) [9.0.0-M1,9.0.83) [10.1.0-M1,10.1.16) [11.0.0-M1,11.0.0-M10)
  • M
Incomplete Cleanup

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[8.5.0,8.5.94) [9.0.0-M1,9.0.81) [10.1.0-M1,10.1.14) [11.0.0-M1,11.0.0-M12)
  • M
Access Restriction Bypass

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

[8.5.0,8.5.93) [9.0.0-M1,9.0.80) [10.1.0-M1,10.1.13) [11.0.0-M1,11.0.0-M11)
  • M
Unprotected Transport of Credentials

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

How to fix Unprotected Transport of Credentials?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

[8.5.0,8.5.86) [9.0.0-M1,9.0.72) [10.1.0-M1,10.1.6) [11.0.0-M1,11.0.0-M3)
  • M
Denial of Service (DoS)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.

NOTE: After upgrading to the fixed version, the setFileCountMax() must be explicitly set to avoid this vulnerability.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.

[8.5.0,8.5.85) [9.0.0-M1,9.0.71) [10.1.0-M1,10.1.5) [11.0.0-M1,11.0.0-M3)
  • L
Information Exposure

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Information Exposure. due to a concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

How to fix Information Exposure?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14 or higher.

[8.5.0,8.5.78) [9.0.0-M1,9.0.62) [10.0.0-M1,10.0.20) [10.1.0-M1,10.1.0-M14)
  • H
Improper Resource Shutdown or Release

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release. When a web application sends a WebSocket message concurrently with the WebSocket connection closing, the application may continue to use the socket after it has been closed. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

How to fix Improper Resource Shutdown or Release?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.76, 9.0.21 or higher.

[8.5.0,8.5.76) [9.0.0.M1,9.0.21)
  • M
Improper Input Validation

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Input Validation. Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (e.g., user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat:tomcat-catalina to version 10.0.6, 9.0.46, 8.5.66, 7.0.109 or higher.

[10.0.0-M1,10.0.6) [9.0.0.M1,9.0.46) [8.5.0,8.5.66) [7.0.0,7.0.109)
  • H
Remote Code Execution (RCE)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.tomcat:tomcat-catalina to version 10.0.2, 9.0.43, 8.5.63, 7.0.108 or higher.

[10.0.0-M1,10.0.2) [9.0.0.M1,9.0.43) [8.5.0,8.5.63) [7.0.0,7.0.108)
  • M
Information Disclosure

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Information Disclosure. When serving resources from a network location using the NTFS file system, affected versions were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

How to fix Information Disclosure?

Upgrade org.apache.tomcat:tomcat-catalina to version 10.0.0-M10, 9.0.40, 8.5.60, 7.0.107 or higher.

[10.0.0-M1,10.0.0-M10) [9.0.0.M1,9.0.40) [8.5.0,8.5.60) [7.0.0,7.0.107)
  • H
Remote Code Execution (RCE)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). If an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.

How to fix Remote Code Execution (RCE)?

Upgrade org.apache.tomcat:tomcat-catalina to version 10.0.0-M5, 9.0.35, 8.5.55, 7.0.104 or higher.

[10.0.0-M1,10.0.0-M5) [9.0.0M1,9.0.35) [8.5.0,8.5.55) [7.0.0,7.0.104)
  • L
Session Fixation

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Session Fixation. When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

How to fix Session Fixation?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.30, 8.5.50, 7.0.99 or higher.

[9.0.0.M1,9.0.30) [8.5.0,8.5.50) [,7.0.99)
  • L
Cross-site Scripting (XSS)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the SSI printenv command.

Note: Server Side Includes (SSI) is disabled by default and is intended for debugging purposes only.

How to fix Cross-site Scripting (XSS)?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.18, 8.5.40, 7.0.94 or higher.

[9.0.0.M1,9.0.18) [8.5.0,8.5.40) [7.0.0,7.0.94)
  • H
Remote Code Execution

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Remote Code Execution due to a bug in the way the underlying Java Runtime Environment (JRE) passes command line arguments to windows systems when the option enableCmdLineArguments is enabled.

The CGI Servlet in Apache Tomcat when enabled, will pass user input to the underlying operating system for command line parsing. However, this process is not consistent and may allow the injection of additional arguments. This misconfiguration could be abused by attackers to execute code on an application's underlying operating system.

How to fix Remote Code Execution?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.94, 8.5.40, 9.0.18 or higher.

[7.0.0,7.0.94) [8.5.0,8.5.40) [9.0.0.M1,9.0.18)
  • H
Denial of Service (DoS)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Denial of Service (DoS). The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.38, 9.0.16 or higher.

[8.5.0,8.5.38) [9.0.0.M1,9.0.16)
  • M
Access Restriction Bypass

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Access Restriction Bypass. The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled, this caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.85, 8.0.50, 8.5.28, 9.0.5 or higher.

[7.0.0,7.0.85) [8.0.0.RC1,8.0.50) [8.5.0,8.5.28) [9.0.0.M1,9.0.5)
  • M
Directory Traversal

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Directory Traversal. Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

How to fix Directory Traversal?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.5, 8.5.28, 8.0.50, 7.0.85 or higher.

[9.0.0M1,9.0.5) [8.5.0,8.5.28) [8.0.0RC1,8.0.50) [7.0.0,7.0.85)
  • H
Arbitrary Code Execution

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Arbitrary Code Execution. When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

This is due to an incomplete fix for CVE-2017-12615.

How to fix Arbitrary Code Execution?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.82, 8.0.46, 8.5.22, 9.0.1 or higher.

[,7.0.82) [8,8.0.46) [8.5,8.5.22) [9.0.0.M1,9.0.1)
  • H
Directory Traversal

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Directory Traversal. The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

How to fix Directory Traversal?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.16, 9.0.0.M22 or higher.

[8.5.0,8.5.16) [9.0.0.M1,9.0.0.M22)
  • M
Cache Poisoning

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Cache Poisoning. The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

How to fix Cache Poisoning?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.79, 8.0.45, 8.5.16, 9.0.0.M22 or higher.

[7.0.0,7.0.79) [8.0.0RC1,8.0.45) [8.5.0,8.5.16) [9.0.0.M1,9.0.0.M22)
  • H
Access Restriction Bypass

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Access Restriction Bypass. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.78, 8.0.44, 8.5.15, 9.0.0.M21 or higher.

[7.0.0,7.0.78) [8.0.0RC1,8.0.44) [8.5.0,8.5.15) [9.0.0.M1,9.0.0.M21)
  • H
Denial of Service (DoS)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Denial of Service (DoS). It allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-catalina to version 7.0.70, 8.0.36, 8.5.3, 9.0.0.M7 or higher.

[7.0.0,7.0.70) [8.0,8.0.36) [8.5.0,8.5.3) [9-alpha,9.0.0.M7)
  • H
Information Exposure

org.apache.tomcat:tomcat-catalina Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

[7,7.0.66) [8,8.0.30) [9-alpha,9.0.0.M2)
  • M
Information Exposure

org.apache.tomcat:tomcat-catalina Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

[7.0.0,7.0.68) [8,8.0.31) [9-alpha,9.0.0.M2)
  • H
Access Restriction Bypass

org.apache.tomcat:tomcat-catalina The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

[7.0.0,7.0.68) [8,8.0.31) [9-alpha,9.0.0.M2)
  • M
Directory Traversal

org.apache.tomcat:tomcat-catalina The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

[7.0.0,7.0.68) [8,8.0.30) [9-alpha,9.0.0.M2)
  • M
Access Restriction Bypass

org.apache.tomcat:tomcat-catalina The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

[7.0.0,7.0.68) [8,8.0.31) [9-alpha,9.0.0.M2)