org.apache.tomcat:tomcat-catalina@10.1.18 vulnerabilities

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as /WEB-INF/ and /META-INF/ by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution.

Note:

1. Older, EOL versions may also be affected.
2. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.109, 10.1.45, 11.0.11 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion.

Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.110, 10.1.47, 11.0.12 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Session Fixation via the rewrite valve if enabled for a web application. An attacker can gain unauthorized access to another user's session by crafting a request that allows session fixation.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.107, 10.1.43, 11.0.9 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.105, 10.1.41, 11.0.7 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Neutralization in the RewriteValve class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving ; or ? characters.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.104, 10.1.40, 11.0.6 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Path Equivalence in the doPut() function in DefaultServlet.java, which insecurely replaces path separators with .s.

If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial PUT functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial PUT. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code.

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.99, 10.1.35, 11.0.3 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

1. running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)

2. running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)

3. running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.