org.apache.tomcat.embed:tomcat-embed-core 7.0.108

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Improper Authentication org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user. How to fix Improper Authentication? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Improper Handling of Case Sensitivity org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the `LockOutRealm` function. An attacker can bypass account lockout protections by submitting usernames with different letter casing. How to fix Improper Handling of Case Sensitivity? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Improper Validation of Syntactic Correctness of Input org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers. How to fix Improper Validation of Syntactic Correctness of Input? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Improper Authorization org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authorization in the processing of security constraints when multiple method constraints define an HTTP method for the same extension. An attacker can gain unauthorized access to protected resources by crafting requests that exploit the improper application of these constraints. How to fix Improper Authorization? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.0.0-M1,10.1.55)[11.0.0-M1,11.0.22)
M Timing Attack org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Timing Attack via AJP secret comparison. An attacker can perform a timing side-channel attack to determine whether a guessed secret is correct by sending many authentication attempts directly to the connector and measuring the time taken to compare secrets. How to fix Timing Attack? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.118, 10.1.55, 11.0.22 or higher.	[,9.0.118)[10.1.0-M1,10.1.55)[11.0.0-M1,11.0.22)
H HTTP Request Smuggling org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to HTTP Request Smuggling in `ChunkedInputFilter`, when handling HTTP/1.1 requests with invalid chunk extensions. An attacker can interfere with the interpretation of HTTP requests and responses by injecting CRLF sequences and sending the payload to an application using a reverse proxy that allows those sequences. How to fix HTTP Request Smuggling? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.116, 10.1.53, 11.0.20 or higher.	[7.0.0,9.0.116)[10.1.0-M1,10.1.53)[11.0.0-M1,11.0.20)
H Improper Authentication org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authentication in `processOCSPRequest()`, which is part of the the `CLIENT_CERT` authentication process. In some "edge cases", an attacker can trigger a soft-fail of OCSP checks when soft-fail is disabled. How to fix Improper Authentication? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.117, 10.1.54, 11.0.21 or higher.	[,9.0.117)[10.1.0-M7,10.1.54)[11.0.0-M1,11.0.21)
H Improper Authentication org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authentication in `processOCSPRequest()`, which is part of the the `CLIENT_CERT` authentication process. An attacker can trigger a soft-fail of OCSP checks when soft-fail is disabled. How to fix Improper Authentication? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.116, 10.1.53, 11.0.20 or higher.	[,9.0.116)[10.1.0-M7,10.1.53)[11.0.0-M1,11.0.20)
M Improper Encoding or Escaping of Output org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in `JsonAccessLogValve()`, which relies on an unescaped `append()` in generating JSON logs. If non-default values are used for the Connector attributes `relaxedPathChars` or `relaxedQueryChars`, an attacker can inject malicious JSON into logs. How to fix Improper Encoding or Escaping of Output? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.117, 10.1.54, 11.0.21 or higher.	[,9.0.117)[10.1.0-M1,10.1.54)[11.0.0-M1,11.0.21)
L Improper Authorization org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Authorization in `prepareRequestProtocol()`, which accepts HTTP/0.9 requests other than `GET`. A security constraint configured to allow `HEAD` requests to a URI but deny `GET` requests allows a user to bypass the constraint by sending an invalid `HEAD` request. How to fix Improper Authorization? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.113, 10.1.50, 11.0.15 or higher.	[,9.0.113)[10.1.0-M1,10.1.50)[11.0.0-M1,11.0.15)
H Relative Path Traversal org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as `/WEB-INF/` and `/META-INF/` by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution. Note: Older, EOL versions may also be affected. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. How to fix Relative Path Traversal? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.109, 10.1.45, 11.0.11 or higher.	[,9.0.109)[10.1.0-M1,10.1.45)[11.0.0-M1,11.0.11)
M Improper Resource Shutdown or Release org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion. Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load. How to fix Improper Resource Shutdown or Release? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.110, 10.1.47, 11.0.12 or higher.	[,9.0.110)[10.0.0-M1,10.1.47)[11.0.0-M1,11.0.12)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Authentication Bypass Using an Alternate Path or Channel org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how `PreResources` or `PostResources` handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
H Insufficient Session Expiration org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in `http2/Stream.java`. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting `maxConnections`. How to fix Insufficient Session Expiration? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.	[,9.0.90)[10.1.0-M1,10.1.25)[11.0.0-M1,11.0.0-M21)
H Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[,8.5.94)[9.0.0,9.0.81)[10.0.0,10.1.14)[11.0.0-M3,11.0.0-M12)
M Improper Input Validation org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Input Validation. Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (e.g., user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm. How to fix Improper Input Validation? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 10.0.6, 9.0.46, 8.5.66, 7.0.109 or higher.	[10.0.0-M1,10.0.6)[9.0.0.M1,9.0.46)[8.5.0,8.5.66)[7.0.0,7.0.109)

Vulnerability

Vulnerable Version

Improper Authentication

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Authentication when DIGEST authentication is configured. An attacker can gain unauthorized access by providing any unknown username, as the system will incorrectly authenticate the user.

How to fix Improper Authentication?