org.apache.tomcat.embed:tomcat-embed-core@11.0.0-M15 vulnerabilities

latest version

10.1.20
latest non vulnerable version

11.0.0-M9
first published

14 years ago
latest version published

a month ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
M Unprotected Transport of Credentials org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the `RemoteIpFilter` with requests received from a reverse proxy via HTTP, in which the `X-Forwarded-Proto` header is set to `https`. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel. How to fix Unprotected Transport of Credentials? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.	[8.5.0,8.5.86) [9.0.0-M1,9.0.72) [10.1.0-M1,10.1.6) [11.0.0-M1,11.0.0-M3)
M Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload. NOTE: After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.	[8.5.0,8.5.85) [9.0.0-M1,9.0.71) [10.1.0-M1,10.1.5) [11.0.0-M1,11.0.0-M3)

Unprotected Transport of Credentials

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

How to fix Unprotected Transport of Credentials?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

[8.5.0,8.5.86) [9.0.0-M1,9.0.72) [10.1.0-M1,10.1.6) [11.0.0-M1,11.0.0-M3)

Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.

NOTE: After upgrading to the fixed version, the setFileCountMax() must be explicitly set to avoid this vulnerability.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.

[8.5.0,8.5.85) [9.0.0-M1,9.0.71) [10.1.0-M1,10.1.5) [11.0.0-M1,11.0.0-M3)

Go back to all versions of this package

org.apache.tomcat.embed:tomcat-embed-core@11.0.0-M15 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities