org.apache.tomcat:tomcat-coyote@8.5.4 vulnerabilities
-
latest version
10.1.28
-
latest non vulnerable version
-
first published
14 years ago
-
latest version published
2 months ago
-
licenses detected
- [0,)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in How to fix Insufficient Session Expiration? Upgrade |
[,9.0.90)
[10.1.0-M1,10.1.25)
[11.0.0-M1,11.0.0-M21)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. How to fix Denial of Service (DoS)? Upgrade |
[8.5.0,8.5.99)
[9.0.0-M1,9.0.86)
[10.1.0-M1,10.1.19)
[11.0.0-M1,1.0.0-M17)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of How to fix Improper Input Validation? Upgrade |
[8.5.0,8.5.94)
[9.0.0-M1,9.0.81)
[10.1.0-M1,10.1.14)
[11.0.0-M1,11.0.0-M12)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation. How to fix Denial of Service (DoS)? Upgrade |
[,8.5.94)
[9.0.0,9.0.81)
[10.0.0,10.1.14)
[11.0.0-M3,11.0.0-M12)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. How to fix HTTP Request Smuggling? Upgrade |
[8.5.0,8.5.53)
[9.0.0-M1,9.0.68)
[10.0.0-M1,10.0.27)
[10.1.0-M1,10.1.1)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release. When a web application sends a WebSocket message concurrently with the WebSocket connection closing, the application may continue to use the socket after it has been closed. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. How to fix Improper Resource Shutdown or Release? Upgrade |
[8.5.0,8.5.76)
[9.0.0.M1,9.0.21)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS). When Tomcat is configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially-crafted packet could be used to trigger an infinite loop resulting in a denial of service. How to fix Denial of Service (DoS)? Upgrade |
[10.0.0,10.0.4)
[8.0.0,8.5.64)
[9.0.0,9.0.44)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to HTTP Request Smuggling. Tomcat does not correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling when used with a reverse proxy. Specifically, Tomcat incorrectly ignores the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; it honours the identify encoding; and it does not ensure that, if present, the chunked encoding was the final encoding. How to fix HTTP Request Smuggling? Upgrade |
[10.0.0-M1,10.0.7)
[9.0.0.M1,9.0.48)
[8.5.0,8.5.68)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to HTTP Request Smuggling. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request. How to fix HTTP Request Smuggling? Upgrade |
[10.0.0-M1,10.0.2)
[9.0.0.M1,9.0.43)
[8.5.0,8.5.63)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to HTTP Request Smuggling. If an HTTP/2 client connecting to Apache Tomcat exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. How to fix HTTP Request Smuggling? Upgrade |
[10.0.0-M1,10.0.0-M8)
[9.0.0.M5,9.0.38)
[8.5.1,8.5.58)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS). An How to fix Denial of Service (DoS)? Upgrade |
[10.0.0-M1,10.0.0-M7)
[9.0.0.M5,9.0.37)
[8.5.1,8.5.57)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS). A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. How to fix Denial of Service (DoS)? Upgrade |
[8.5.0,8.5.56)
[9.0.0.M1,9.0.36)
[10.0.0-M1,10.0.0-M6)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Arbitrary File Upload. This is enabled by default with a default configuration port of How to fix Arbitrary File Upload? Upgrade |
[9.0.0,9.0.31)
[8.0.0,8.5.51)
[,7.0.100)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS) due to not sending Note: This vulnerability is due to an incomplete fix for CVE-2019-0199. How to fix Denial of Service (DoS)? Upgrade |
[8.5.0,8.5.40)
[9.0.0.M1,9.0.20)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS). The How to fix Denial of Service (DoS)? Upgrade |
[8.5.0,8.5.38)
[9.0.0.M1,9.0.16)
|
|
[8.5.0,8.5.13)
[9-alpha,9.0.0.M19)
|
|
[7.0.0,7.0.77)
[8,8.0.43)
[8.5.0,8.5.13)
[9-alpha,9.0.0.M19)
|
|
[8.5.0,8.5.13)
[9-alpha,9.0.0.M19)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Denial of Service (DoS). The HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer. How to fix Denial of Service (DoS)? Upgrade |
[8.5.0,8.5.8)
[9.0.0M1,9.0.0M13)
|
org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Information Exposure. The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. How to fix Information Exposure? Upgrade |
[7.0.0,7.0.73)
[8,8.0.39)
[8.5.0,8.5.8)
[9-alpha,9.0.0.M13)
|