org.apache.tomcat:tomcat-coyote@10.0.0-M5 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • M
Information Exposure

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Information Exposure through an incomplete POST request, which triggers an error response that could contain data from a previous request from another user.

How to fix Information Exposure?

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.64, 9.0.44, 10.0.4 or higher.

[8.5.7,8.5.64) [9.0.0-M11,9.0.44) [10.0.0-M1,10.0.4)
  • L
HTTP Request Smuggling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

[8.5.0,8.5.53) [9.0.0-M1,9.0.68) [10.0.0-M1,10.0.27) [10.1.0-M1,10.1.1)
  • M
HTTP Request Smuggling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Tomcat does not correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling when used with a reverse proxy.

Specifically, Tomcat incorrectly ignores the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; it honours the identify encoding; and it does not ensure that, if present, the chunked encoding was the final encoding.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.7, 9.0.48, 8.5.68 or higher.

[10.0.0-M1,10.0.7) [9.0.0.M1,9.0.48) [8.5.0,8.5.68)
  • M
HTTP Request Smuggling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.2, 9.0.43, 8.5.63 or higher.

[10.0.0-M1,10.0.2) [9.0.0.M1,9.0.43) [8.5.0,8.5.63)
  • M
HTTP Request Smuggling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling. If an HTTP/2 client connecting to Apache Tomcat exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.0-M8, 9.0.38, 8.5.58 or higher.

[10.0.0-M1,10.0.0-M8) [9.0.0.M5,9.0.38) [8.5.1,8.5.58)
  • M
Denial of Service (DoS)

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS). An h2c direct connection did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests are made, an OutOfMemoryException could occur leading to a denial of service.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.0-M7, 9.0.37, 8.5.57 or higher.

[10.0.0-M1,10.0.0-M7) [9.0.0.M5,9.0.37) [8.5.1,8.5.57)
  • H
Denial of Service (DoS)

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS). A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.56, 9.0.36, 10.0.0-M6 or higher.

[8.5.0,8.5.56) [9.0.0.M1,9.0.36) [10.0.0-M1,10.0.0-M6)