org.apache.tomcat.embed:tomcat-embed-core@8.5.83 vulnerabilities

latest version

11.0.0
latest non vulnerable version

11.0.0
first published

14 years ago
latest version published

2 months ago
licenses detected
- Apache-2.0
  [0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Insufficient Session Expiration org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in `http2/Stream.java`. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting `maxConnections`. How to fix Insufficient Session Expiration? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.	[,9.0.90) [10.1.0-M1,10.1.25) [11.0.0-M1,11.0.0-M21)
H Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.	[8.5.0,8.5.99) [9.0.0-M1,9.0.86) [10.1.0-M1,10.1.19) [11.0.0-M1,1.0.0-M17)
H Improper Input Validation org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.	[8.5.0,8.5.96) [9.0.0-M1,9.0.83) [10.1.0-M1,10.1.16) [11.0.0-M1,11.0.0-M10)
M Incomplete Cleanup org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error. How to fix Incomplete Cleanup? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94) [9.0.0-M1,9.0.81) [10.1.0-M1,10.1.14) [11.0.0-M1,11.0.0-M12)
M Improper Input Validation org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of `HTTP` trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94) [9.0.0-M1,9.0.81) [10.1.0-M1,10.1.14) [11.0.0-M1,11.0.0-M12)
H Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[,8.5.94) [9.0.0,9.0.81) [10.0.0,10.1.14) [11.0.0-M3,11.0.0-M12)
M Access Restriction Bypass org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. The vulnerability is limited to the ROOT (default) web application. How to fix Access Restriction Bypass? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.	[8.5.0,8.5.93) [9.0.0-M1,9.0.80) [10.1.0-M1,10.1.13) [11.0.0-M1,11.0.0-M11)
M Unprotected Transport of Credentials org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the `RemoteIpFilter` with requests received from a reverse proxy via HTTP, in which the `X-Forwarded-Proto` header is set to `https`. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel. How to fix Unprotected Transport of Credentials? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.	[8.5.0,8.5.86) [9.0.0-M1,9.0.72) [10.1.0-M1,10.1.6) [11.0.0-M1,11.0.0-M3)
M Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload. NOTE: After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.	[8.5.0,8.5.85) [9.0.0-M1,9.0.71) [10.1.0-M1,10.1.5) [11.0.0-M1,11.0.0-M3)
H Improper Input Validation org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Input Validation such that the `JsonErrorReportValve` does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it is possible for users to supply values that invalidate or manipulate the JSON output. How to fix Improper Input Validation? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.84, 9.0.69, 10.1.2 or higher.	[8.5.83,8.5.84) [9.0.40,9.0.69) [10.1.0-M1,10.1.2)

Go back to all versions of this package

org.apache.tomcat.embed:tomcat-embed-core@8.5.83 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities