org.apache.tomcat.embed:tomcat-embed-core@9.0.55 vulnerabilities

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.108, 10.1.44, 11.0.10 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Race Condition on connection close when using the APR/Native connector. An attacker could trigger a JVM crash by rapidly opening and closing HTTP/2 connections. The likelihood of hitting the race condition increases if the connections are closed from the client side.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.107, 10.1.43, 11.0.9 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.105, 10.1.41, 11.0.7 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Path Equivalence in the doPut() function in DefaultServlet.java, which insecurely replaces path separators with .s.

If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial PUT functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial PUT. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.99, 10.1.35, 11.0.3 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.98, 10.1.34, 11.0.2 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition.

Note:

This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that behaves in this way. According to the maintainers, no such cases are known.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.96, 10.1.31, 11.0.0 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unwrap() function in SecureNio2Channel class, during a TLS handshake. Under certain configurations using TLS 1.3, an attacker can trigger an OutOfMemoryError.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.

NOTE: After upgrading to the fixed version, the setFileCountMax() must be explicitly set to avoid this vulnerability.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Improper Input Validation such that the JsonErrorReportValve does not escape the type, message or description values. In some circumstances these are constructed from user provided data and it is possible for users to supply values that invalidate or manipulate the JSON output.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.84, 9.0.69, 10.1.2 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

org.apache.tomcat.embed:tomcat-embed-core is a Core Tomcat implementation.

Affected versions of this package are vulnerable to Information Exposure. due to a concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Upgrade org.apache.tomcat.embed:tomcat-embed-core to version 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14 or higher.