org.apache.tomcat:tomcat-coyote@9.0.0.M25 vulnerabilities

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Information Exposure through an incomplete POST request, which triggers an error response that could contain data from a previous request from another user.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.64, 9.0.44, 10.0.4 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release. When a web application sends a WebSocket message concurrently with the WebSocket connection closing, the application may continue to use the socket after it has been closed. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.76, 9.0.21 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Tomcat does not correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling when used with a reverse proxy.

Specifically, Tomcat incorrectly ignores the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; it honours the identify encoding; and it does not ensure that, if present, the chunked encoding was the final encoding.

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.7, 9.0.48, 8.5.68 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Upgrade org.apache.tomcat:tomcat-coyote to version 10.0.2, 9.0.43, 8.5.63 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS). A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.56, 9.0.36, 10.0.0-M6 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to not sending WINDOW_UPDATE messages for the connection window, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Note: This vulnerability is due to an incomplete fix for CVE-2019-0199.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.40, 9.0.20 or higher.

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Denial of Service (DoS). The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion.

Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.38, 9.0.16 or higher.