org.apache.tomcat.embed:tomcat-embed-core@10.1.30 vulnerabilities

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.105, 10.1.41, 11.0.7 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception when handling failed HTTP/2 requests with certain invalid HTTP priority headers. An attacker can trigger an OutOfMemoryException by sending a large number of malicious requests.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.104, 10.1.40, 11.0.6 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Neutralization in the RewriteValve class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving ; or ? characters.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.104, 10.1.40, 11.0.6 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Path Equivalence in the doPut() function in DefaultServlet.java, which insecurely replaces path separators with .s.

If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial PUT functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial PUT. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.99, 10.1.35, 11.0.3 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition.

Note:

This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that behaves in this way. According to the maintainers, no such cases are known.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.96, 10.1.31, 11.0.0 or higher.