org.apache.tomcat.embed:tomcat-embed-core 10.0.21 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Integer Overflow or Wraparound org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion. How to fix Integer Overflow or Wraparound? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.107, 10.1.43, 11.0.9 or higher.	[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)
H Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[,8.5.94)[9.0.0,9.0.81)[10.0.0,10.1.14)[11.0.0-M3,11.0.0-M12)
L HTTP Request Smuggling org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid `Content-Length` header are not being properly rejected. Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. How to fix HTTP Request Smuggling? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.	[8.5.0,8.5.53)[9.0.0-M1,9.0.68)[10.0.0-M1,10.0.27)[10.1.0-M1,10.1.1)

Vulnerability

Vulnerable Version

Integer Overflow or Wraparound

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

How to fix Integer Overflow or Wraparound?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)

Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[,8.5.94)[9.0.0,9.0.81)[10.0.0,10.1.14)[11.0.0-M3,11.0.0-M12)

HTTP Request Smuggling

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

How to fix HTTP Request Smuggling?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

[8.5.0,8.5.53)[9.0.0-M1,9.0.68)[10.0.0-M1,10.0.27)[10.1.0-M1,10.1.1)

org.apache.tomcat.embed:tomcat-embed-core@10.0.21 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?