org.apache.tomcat.embed:tomcat-embed-core@10.0.11 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[,8.5.94) [9.0.0,9.0.81) [10.0.0,10.1.14) [11.0.0-M3,11.0.0-M12)
  • L
HTTP Request Smuggling

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

[8.5.0,8.5.53) [9.0.0-M1,9.0.68) [10.0.0-M1,10.0.27) [10.1.0-M1,10.1.1)
  • L
Information Exposure

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. due to a concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

How to fix Information Exposure?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14 or higher.

[8.5.0,8.5.78) [9.0.0-M1,9.0.62) [10.0.0-M1,10.0.20) [10.1.0-M1,10.1.0-M14)
  • H
Privilege Escalation

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Privilege Escalation via a time of check, time of use vulnerability that allows a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

How to fix Privilege Escalation?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.75, 9.0.58, 10.0.16, 10.1.0-M10 or higher.

[8.5.55,8.5.75) [9.0.0,9.0.58) [10.0.0-M1,10.0.16) [10.1.0-M1,10.1.0-M10)