org.apache.tomcat:tomcat-coyote@9.0.88 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Allocation of Resources Without Limits or Throttling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unwrap() function in SecureNio2Channel class, during a TLS handshake. Under certain configurations using TLS 1.3, an attacker can trigger an OutOfMemoryError.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

[9.0.13,9.0.90) [10.1.0-M1,10.1.25) [11.0.0-M1,11.0.0-M21)
  • H
Insufficient Session Expiration

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

How to fix Insufficient Session Expiration?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

[,9.0.90) [10.1.0-M1,10.1.25) [11.0.0-M1,11.0.0-M21)