org.apache.tomcat:tomcat-catalina 9.0.108 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Relative Path Traversal org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as `/WEB-INF/` and `/META-INF/` by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution. Note: Older, EOL versions may also be affected. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. How to fix Relative Path Traversal? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.109, 10.1.45, 11.0.11 or higher.	[,9.0.109)[10.1.0-M1,10.1.45)[11.0.0-M1,11.0.11)
M Improper Resource Shutdown or Release org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion. Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load. How to fix Improper Resource Shutdown or Release? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.110, 10.1.47, 11.0.12 or higher.	[,9.0.110)[10.0.0-M1,10.1.47)[11.0.0-M1,11.0.12)

Vulnerability

Vulnerable Version

Relative Path Traversal

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as /WEB-INF/ and /META-INF/ by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution.

Note:

Older, EOL versions may also be affected.
PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

How to fix Relative Path Traversal?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.109, 10.1.45, 11.0.11 or higher.

[,9.0.109)[10.1.0-M1,10.1.45)[11.0.0-M1,11.0.11)

Improper Resource Shutdown or Release

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion.

Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load.

How to fix Improper Resource Shutdown or Release?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.110, 10.1.47, 11.0.12 or higher.

[,9.0.110)[10.0.0-M1,10.1.47)[11.0.0-M1,11.0.12)

org.apache.tomcat:tomcat-catalina@9.0.108 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically