Homepage
About Snyk

org.apache.tomcat:tomcat-coyote@10.0.4 vulnerabilities

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[,8.5.94) [9.0.0,9.0.81) [10.0.0,10.1.14) [11.0.0-M3,11.0.0-M12)
  • L
HTTP Request Smuggling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

[8.5.0,8.5.53) [9.0.0-M1,9.0.68) [10.0.0-M1,10.0.27) [10.1.0-M1,10.1.1)
  • M
HTTP Request Smuggling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Tomcat does not correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling when used with a reverse proxy.

Specifically, Tomcat incorrectly ignores the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; it honours the identify encoding; and it does not ensure that, if present, the chunked encoding was the final encoding.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.7, 9.0.48, 8.5.68 or higher.

[10.0.0-M1,10.0.7) [9.0.0.M1,9.0.48) [8.5.0,8.5.68)
  • H
Denial of Service (DoS)

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS). An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a denial of service. Applications that do not use non-blocking I/O are not exposed to this vulnerability.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.5, 9.0.45, 8.5.65 or higher.

[10.0.3,10.0.5) [9.0.44,9.0.45) [8.5.64,8.5.65)
Go back to all versions of this package