org.apache.tomcat:tomcat-catalina 9.0.105 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Integer Overflow or Wraparound org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion. How to fix Integer Overflow or Wraparound? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.107, 10.1.43, 11.0.9 or higher.	[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Authentication Bypass Using an Alternate Path or Channel org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how `PreResources` or `PostResources` handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Vulnerability

Vulnerable Version

Integer Overflow or Wraparound

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

How to fix Integer Overflow or Wraparound?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.107, 10.1.43, 11.0.9 or higher.

[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)

Allocation of Resources Without Limits or Throttling

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Authentication Bypass Using an Alternate Path or Channel

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

org.apache.tomcat:tomcat-catalina@9.0.105 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?