org.apache.tomcat:tomcat-coyote@8.5.86 vulnerabilities

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.