org.apache.tomcat:tomcat-catalina 10.1.35 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Integer Overflow or Wraparound org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion. How to fix Integer Overflow or Wraparound? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.107, 10.1.43, 11.0.9 or higher.	[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Authentication Bypass Using an Alternate Path or Channel org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how `PreResources` or `PostResources` handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Improper Handling of Case Sensitivity org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the `pathInfo` component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the `pathInfo` component by exploiting this vulnerability on a case insensitive file system. How to fix Improper Handling of Case Sensitivity? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.105, 10.1.41, 11.0.7 or higher.	[9.0.0.M1,9.0.105)[10.1.0-M1,10.1.41)[11.0.0-M1,11.0.7)
M Improper Neutralization org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Neutralization in the `RewriteValve` class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving `;` or `?` characters. Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released. How to fix Improper Neutralization? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.104, 10.1.40, 11.0.6 or higher.	[9.0.76,9.0.104)[10.1.10,10.1.40)[11.0.0-M2,11.0.6)

Vulnerability

Vulnerable Version

Integer Overflow or Wraparound

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

How to fix Integer Overflow or Wraparound?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.107, 10.1.43, 11.0.9 or higher.

[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)

Allocation of Resources Without Limits or Throttling

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Authentication Bypass Using an Alternate Path or Channel

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Improper Handling of Case Sensitivity

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

How to fix Improper Handling of Case Sensitivity?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.105, 10.1.41, 11.0.7 or higher.

[9.0.0.M1,9.0.105)[10.1.0-M1,10.1.41)[11.0.0-M1,11.0.7)

Improper Neutralization

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Neutralization in the RewriteValve class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving ; or ? characters.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

How to fix Improper Neutralization?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.104, 10.1.40, 11.0.6 or higher.

[9.0.76,9.0.104)[10.1.10,10.1.40)[11.0.0-M2,11.0.6)

org.apache.tomcat:tomcat-catalina@10.1.35 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?