org.apache.tomcat.embed:tomcat-embed-core@9.0.0.M1

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Certificate Validation in the SNI extension, when client certificate authentication relies exclusively on the Connector (and is not enforced in the web application). The hostname provided via the SNI extension may be different from the hostname in the HTTP host header field.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.113, 10.1.50, 11.0.15 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as /WEB-INF/ and /META-INF/ by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution.

Note:

1. Older, EOL versions may also be affected.
2. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.109, 10.1.45, 11.0.11 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion.

Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.110, 10.1.47, 11.0.12 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Session Fixation via the rewrite valve if enabled for a web application. An attacker can gain unauthorized access to another user's session by crafting a request that allows session fixation.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.108, 10.1.44, 11.0.10 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Race Condition on connection close when using the APR/Native connector. An attacker could trigger a JVM crash by rapidly opening and closing HTTP/2 connections. The likelihood of hitting the race condition increases if the connections are closed from the client side.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.105, 10.1.41, 11.0.7 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Path Equivalence in the doPut() function in DefaultServlet.java, which insecurely replaces path separators with .s.

If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial PUT functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial PUT. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.99, 10.1.35, 11.0.3 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition.

Note:

This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that behaves in this way. According to the maintainers, no such cases are known.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.96, 10.1.31, 11.0.0 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.

NOTE: After upgrading to the fixed version, the setFileCountMax() must be explicitly set to avoid this vulnerability.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. due to a concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation. Queries made by the JNDI Realm did not always correctly escape parameters. Parameter values could be sourced from user provided data (e.g., user names) as well as configuration data provided by an administrator. In limited circumstances it was possible for users to authenticate using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.6, 9.0.46, 8.5.66, 7.0.109 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling. Tomcat does not correctly parse the HTTP transfer-encoding request header in some circumstances, leading to the possibility of request smuggling when used with a reverse proxy.

Specifically, Tomcat incorrectly ignores the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; it honours the identify encoding; and it does not ensure that, if present, the chunked encoding was the final encoding.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.7, 9.0.48, 8.5.68 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling. When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.2, 9.0.43, 8.5.63 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.2, 9.0.43, 8.5.63, 7.0.108 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Disclosure. When serving resources from a network location using the NTFS file system, affected versions were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.0-M10, 9.0.40, 8.5.60, 7.0.107 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). A specially crafted sequence of HTTP/2 requests could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.56, 9.0.36, 10.0.0-M6 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). If an attacker is able to control the contents and name of a file on the server; and the server is configured to use the PersistenceManager with a FileStore; and the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 10.0.0-M5, 9.0.35, 8.5.55, 7.0.104 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Session Fixation. When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.30, 8.5.50, 7.0.99 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to not sending WINDOW_UPDATE messages for the connection window, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

Note: This vulnerability is due to an incomplete fix for CVE-2019-0199.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.40, 9.0.20 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the SSI printenv command.

Note: Server Side Includes (SSI) is disabled by default and is intended for debugging purposes only.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.18, 8.5.40, 7.0.94 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to a bug in the way the underlying Java Runtime Environment (JRE) passes command line arguments to windows systems when the option enableCmdLineArguments is enabled.

The CGI Servlet in Apache Tomcat when enabled, will pass user input to the underlying operating system for command line parsing. However, this process is not consistent and may allow the injection of additional arguments. This misconfiguration could be abused by attackers to execute code on an application's underlying operating system.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.94, 8.5.40, 9.0.18 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.38, 9.0.16 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled, this caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.85, 8.0.50, 8.5.28, 9.0.5 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Directory Traversal. Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.5, 8.5.28, 8.0.50, 7.0.85 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Arbitrary Code Execution. When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

This is due to an incomplete fix for CVE-2017-12615.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.82, 8.0.46, 8.5.22, 9.0.1 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Directory Traversal. The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.16, 9.0.0.M22 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.78, 8.0.44, 8.5.15, 9.0.0.M21 or higher.

org.apache.tomcat.embed:tomcat-embed-core In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. A bug in the handling of the pipelined requests, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.77, 8.0.43, 8.5.13, 9.0.0.M19 or higher.

org.apache.tomcat.embed:tomcat-embed-core In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads.

org.apache.tomcat.embed:tomcat-embed-core is an open source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.

Affected versions of this package are vulnerable to Information Disclosure. While investigating bug 60718, it was noticed that some calls to application listeners, It did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.76, 8.0.42, 8.5.12, 9.0.0.M17 or higher..

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). It allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.70, 8.0.36, 8.5.3, 9.0.0.M7 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. The refactoring of the Connector code for 8.5.x onwards introduced a regression in the error handling of the send file code for the NIO HTTP connector. An error during send file processing resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.74, 8.5.9, 8.0.40, 9.0.0M15 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS). The HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.8, 9.0.0M13 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.73, 8.0.39, 8.5.8, 9.0.0.M13 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.0.37, 8.5.5, 9.0.0.M10 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Timing Attack. The setGlobalContext method in ResourceLinkFactory.java does not consider whether callers to this method are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10 or higher.

org.apache.tomcat.embed:tomcat-embed-core Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

org.apache.tomcat.embed:tomcat-embed-core Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

org.apache.tomcat.embed:tomcat-embed-core The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

org.apache.tomcat.embed:tomcat-embed-core The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.