org.apache.tomcat.embed:tomcat-embed-core@8.0.36 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[,8.5.94) [9.0.0,9.0.81) [10.0.0,10.1.14) [11.0.0-M3,11.0.0-M12)
  • H
Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). When Tomcat is configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially-crafted packet could be used to trigger an infinite loop resulting in a denial of service.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.4, 8.5.64, 9.0.44 or higher.

[10.0.0,10.0.4) [8.0.0,8.5.64) [9.0.0,9.0.44)
  • H
Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the UTF-8 decoder. When handling some special characters, the decoder may enter an infinite loop, thus denying service to other requests.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.90, 8.0.52, 8.5.32, 9.0.10 or higher.

[,7.0.90) [8.0.0,8.0.52) [8.5.0,8.5.32) [9.0.0,9.0.10)
  • C
Insecure Defaults

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insecure Defaults. The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins.

How to fix Insecure Defaults?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.89, 8.0.53, 8.5.32, 9.0.9 or higher.

[,7.0.89) [8.0.0,8.0.53) [8.5.0,8.5.32) [9.0.0,9.0.9)
  • M
Access Restriction Bypass

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled, this caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.85, 8.0.50, 8.5.28, 9.0.5 or higher.

[7.0.0,7.0.85) [8.0.0.RC1,8.0.50) [8.5.0,8.5.28) [9.0.0.M1,9.0.5)
  • M
Directory Traversal

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Directory Traversal. Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

How to fix Directory Traversal?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.5, 8.5.28, 8.0.50, 7.0.85 or higher.

[9.0.0M1,9.0.5) [8.5.0,8.5.28) [8.0.0RC1,8.0.50) [7.0.0,7.0.85)
  • H
Arbitrary Code Execution

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Arbitrary Code Execution. When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

This is due to an incomplete fix for CVE-2017-12615.

How to fix Arbitrary Code Execution?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.82, 8.0.46, 8.5.22, 9.0.1 or higher.

[,7.0.82) [8,8.0.46) [8.5,8.5.22) [9.0.0.M1,9.0.1)
  • H
Access Restriction Bypass

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.78, 8.0.44, 8.5.15, 9.0.0.M21 or higher.

[7.0.0,7.0.78) [8.0.0RC1,8.0.44) [8.5.0,8.5.15) [9.0.0.M1,9.0.0.M21)
  • H
Information Exposure

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. A bug in the handling of the pipelined requests, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

How to fix Information Exposure?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.77, 8.0.43, 8.5.13, 9.0.0.M19 or higher.

[7.0.0,7.0.77) [8.0.0-RC1,8.0.43) [8.5.0,8.5.13) [9.0.0.M1,9.0.0.M19)
  • C
Information Exposure

org.apache.tomcat.embed:tomcat-embed-core is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.

Affected versions of this package are vulnerable to Information Disclosure. While investigating bug 60718, it was noticed that some calls to application listeners, It did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

How to fix Information Exposure?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.76, 8.0.42, 8.5.12, 9.0.0.M17 or higher..

[7.0.0,7.0.76) [8.0.0-RC1,8.0.42) [8.5.0,8.5.12) [9.0.0.M1,9.0.0.M17)
  • H
Information Exposure

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. The refactoring of the Connector code for 8.5.x onwards introduced a regression in the error handling of the send file code for the NIO HTTP connector. An error during send file processing resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body.

How to fix Information Exposure?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.74, 8.5.9, 8.0.40, 9.0.0M15 or higher.

[7,7.0.74) [8.5.0,8.5.9) [8.0.0RC1,8.0.40) [9.0.0M1,9.0.0M15)
  • H
Information Exposure

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

How to fix Information Exposure?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.73, 8.0.39, 8.5.8, 9.0.0.M13 or higher.

[7.0.0,7.0.73) [8,8.0.39) [8.5.0,8.5.8) [9-alpha,9.0.0.M13)
  • H
Access Restriction Bypass

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10 or higher.

[7.0.0,7.0.72) [8,8.0.37) [8.5.0,8.5.5) [9-alpha,9.0.0.M10)
  • M
Information Exposure

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

How to fix Information Exposure?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.0.37, 8.5.5, 9.0.0.M10 or higher.

[8,8.0.37) [8.5.0,8.5.5) [9-alpha,9.0.0.M10)
  • M
Timing Attack

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Timing Attack. The setGlobalContext method in ResourceLinkFactory.java does not consider whether callers to this method are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

How to fix Timing Attack?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10 or higher.

[7.0.0,7.0.72) [8.0.0-RC1,8.0.37) [8.5.0,8.5.5) [9.0.0.M1,9.0.0.M10)