org.apache.tomcat.embed:tomcat-embed-core 8.5.85 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat.embed:tomcat-embed-core package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Authentication Bypass Using an Alternate Path or Channel org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how `PreResources` or `PostResources` handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
H Insufficient Session Expiration org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in `http2/Stream.java`. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting `maxConnections`. How to fix Insufficient Session Expiration? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.	[,9.0.90)[10.1.0-M1,10.1.25)[11.0.0-M1,11.0.0-M21)
H Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.	[8.5.0,8.5.99)[9.0.0-M1,9.0.86)[10.1.0-M1,10.1.19)[11.0.0-M1,1.0.0-M17)
H Improper Input Validation org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.	[8.5.0,8.5.96)[9.0.0-M1,9.0.83)[10.1.0-M1,10.1.16)[11.0.0-M1,11.0.0-M10)
M Incomplete Cleanup org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error. How to fix Incomplete Cleanup? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)
M Improper Input Validation org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of `HTTP` trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)
M Incomplete Cleanup org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Incomplete Cleanup in the internal fork of `Commons FileUpload` package. An attacker can potentially cause a denial of service on Windows by opening a stream for an uploaded file but failing to close the stream. This results in the file never being deleted from the disk, creating the possibility of an eventual denial of service due to the disk being full. Note: This vulnerability is exploitable on Windows operating systems. How to fix Incomplete Cleanup? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81 or higher.	[8.5.85,8.5.94)[9.0.70,9.0.81)
H Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[,8.5.94)[9.0.0,9.0.81)[10.0.0,10.1.14)[11.0.0-M3,11.0.0-M12)
M Access Restriction Bypass org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. The vulnerability is limited to the ROOT (default) web application. How to fix Access Restriction Bypass? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.	[8.5.0,8.5.93)[9.0.0-M1,9.0.80)[10.1.0-M1,10.1.13)[11.0.0-M1,11.0.0-M11)
M Denial of Service (DoS) org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Denial of Service (DoS) due to an incomplete fix for CVE-2023-24998. If non-default HTTP connector settings were used such that the `maxParameterCount` could be reached using query string parameters and a request was submitted that supplied exactly `maxParameterCount` parameters in the query string, the limit on uploaded request parts could be bypassed. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.88, 9.0.74, 10.1.8, 11.0.0-M5 or higher.	[8.5.85,8.5.88)[9.0.71,9.0.74)[10.1.5,10.1.8)[11.0.0-M2,11.0.0-M5)
M Unprotected Transport of Credentials org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation. Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the `RemoteIpFilter` with requests received from a reverse proxy via HTTP, in which the `X-Forwarded-Proto` header is set to `https`. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel. How to fix Unprotected Transport of Credentials? Upgrade `org.apache.tomcat.embed:tomcat-embed-core` to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.	[8.5.0,8.5.86)[9.0.0-M1,9.0.72)[10.1.0-M1,10.1.6)[11.0.0-M1,11.0.0-M3)

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Authentication Bypass Using an Alternate Path or Channel

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Insufficient Session Expiration

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

How to fix Insufficient Session Expiration?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

[,9.0.90)[10.1.0-M1,10.1.25)[11.0.0-M1,11.0.0-M21)

Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

[8.5.0,8.5.99)[9.0.0-M1,9.0.86)[10.1.0-M1,10.1.19)[11.0.0-M1,1.0.0-M17)

Improper Input Validation

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

[8.5.0,8.5.96)[9.0.0-M1,9.0.83)[10.1.0-M1,10.1.16)[11.0.0-M1,11.0.0-M10)

Incomplete Cleanup

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)

Improper Input Validation

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)

Incomplete Cleanup

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Incomplete Cleanup in the internal fork of Commons FileUpload package. An attacker can potentially cause a denial of service on Windows by opening a stream for an uploaded file but failing to close the stream. This results in the file never being deleted from the disk, creating the possibility of an eventual denial of service due to the disk being full.

Note:

This vulnerability is exploitable on Windows operating systems.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81 or higher.

[8.5.85,8.5.94)[9.0.70,9.0.81)

Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[,8.5.94)[9.0.0,9.0.81)[10.0.0,10.1.14)[11.0.0-M3,11.0.0-M12)

Access Restriction Bypass

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

[8.5.0,8.5.93)[9.0.0-M1,9.0.80)[10.1.0-M1,10.1.13)[11.0.0-M1,11.0.0-M11)

Denial of Service (DoS)

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to an incomplete fix for CVE-2023-24998. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit on uploaded request parts could be bypassed.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.88, 9.0.74, 10.1.8, 11.0.0-M5 or higher.

[8.5.85,8.5.88)[9.0.71,9.0.74)[10.1.5,10.1.8)[11.0.0-M2,11.0.0-M5)

Unprotected Transport of Credentials

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

How to fix Unprotected Transport of Credentials?

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

[8.5.0,8.5.86)[9.0.0-M1,9.0.72)[10.1.0-M1,10.1.6)[11.0.0-M1,11.0.0-M3)

org.apache.tomcat.embed:tomcat-embed-core@8.5.85 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?