org.apache.tomcat:tomcat-coyote@10.1.13 vulnerabilities

latest version

11.0.0
latest non vulnerable version

11.0.0
first published

14 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the `unwrap()` function in `SecureNio2Channel` class, during a TLS handshake. Under certain configurations using TLS 1.3, an attacker can trigger an `OutOfMemoryError`. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.	[9.0.13,9.0.90) [10.1.0-M1,10.1.25) [11.0.0-M1,11.0.0-M21)
H Insufficient Session Expiration org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in `http2/Stream.java`. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting `maxConnections`. How to fix Insufficient Session Expiration? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.	[,9.0.90) [10.1.0-M1,10.1.25) [11.0.0-M1,11.0.0-M21)
H Denial of Service (DoS) org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat:tomcat-coyote` to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.	[8.5.0,8.5.99) [9.0.0-M1,9.0.86) [10.1.0-M1,10.1.19) [11.0.0-M1,1.0.0-M17)
M Improper Input Validation org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of `HTTP` trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade `org.apache.tomcat:tomcat-coyote` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94) [9.0.0-M1,9.0.81) [10.1.0-M1,10.1.14) [11.0.0-M1,11.0.0-M12)
H Denial of Service (DoS) org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat:tomcat-coyote` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[,8.5.94) [9.0.0,9.0.81) [10.0.0,10.1.14) [11.0.0-M3,11.0.0-M12)

Go back to all versions of this package

org.apache.tomcat:tomcat-coyote@10.1.13 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities