org.apache.tomcat.embed:tomcat-embed-core 10.1.53

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Improper Authentication org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user. How to fix Improper Authentication? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Improper Handling of Case Sensitivity org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the `LockOutRealm` function. An attacker can bypass account lockout protections by submitting usernames with different letter casing. How to fix Improper Handling of Case Sensitivity? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Improper Validation of Syntactic Correctness of Input org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers. How to fix Improper Validation of Syntactic Correctness of Input? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Improper Authorization org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An attacker can gain unauthorized access to protected resources by crafting requests that exploit the improper application of these constraints. How to fix Improper Authorization? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Timing Attack org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret is correct by sending many authentication attempts directly to the connector and measuring the time taken to compare secrets. How to fix Timing Attack? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.1.0-M1,10.1.55)[11.0.0-M1,11.0.22)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the WebDAV `LOCK` and `PROPFIND` XML request bodies. An attacker can cause excessive resource consumption by sending specially crafted requests that trigger unbounded reads. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[9.0.0.M1,9.0.118)[10.1.0-M1,10.1.55)[11.0.0-M1,11.0.22)
H Improper Authentication org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authentication in `processOCSPRequest()`, which is part of the the `CLIENT_CERT` authentication process. In some "edge cases", an attacker can trigger a soft-fail of OCSP checks when soft-fail is disabled. How to fix Improper Authentication? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.117, 10.1.54, 11.0.21 or higher.	[,9.0.117)[10.1.0-M7,10.1.54)[11.0.0-M1,11.0.21)
M Improper Encoding or Escaping of Output org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in `JsonAccessLogValve()`, which relies on an unescaped `append()` in generating JSON logs. If non-default values are used for the Connector attributes `relaxedPathChars` or `relaxedQueryChars`, an attacker can inject malicious JSON into logs. How to fix Improper Encoding or Escaping of Output? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.117, 10.1.54, 11.0.21 or higher.	[,9.0.117)[10.1.0-M1,10.1.54)[11.0.0-M1,11.0.21)

Vulnerability

Vulnerable Version

Improper Authentication

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user.

How to fix Improper Authentication?