org.apache.tomcat:tomcat-catalina 8.5.81

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Relative Path Traversal org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as `/WEB-INF/` and `/META-INF/` by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution. Note: Older, EOL versions may also be affected. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI. How to fix Relative Path Traversal? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.109, 10.1.45, 11.0.11 or higher.	[,9.0.109)[10.1.0-M1,10.1.45)[11.0.0-M1,11.0.11)
M Improper Resource Shutdown or Release org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion. Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load. How to fix Improper Resource Shutdown or Release? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.110, 10.1.47, 11.0.12 or higher.	[,9.0.110)[10.0.0-M1,10.1.47)[11.0.0-M1,11.0.12)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Authentication Bypass Using an Alternate Path or Channel org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how `PreResources` or `PostResources` handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
C Time-of-check Time-of-use (TOCTOU) Race Condition org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled. In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat : running on Java 8 or Java 11: the system property `sun.io.useCanonCaches` must be explicitly set to false (it defaults to true) running on Java 17: the system property `sun.io.useCanonCaches`, if set, must be set to false (it defaults to false) running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.98, 10.1.34, 11.0.2 or higher.	[8.5.0,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
C Time-of-check Time-of-use (TOCTOU) Race Condition org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed. This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously. Note: The default `readonly` initialization parameter value of `true` is not vulnerable. This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability; In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat : running on Java 8 or Java 11: the system property `sun.io.useCanonCaches` must be explicitly set to false (it defaults to true) running on Java 17: the system property `sun.io.useCanonCaches`, if set, must be set to false (it defaults to false) running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.98, 10.1.34, 11.0.2 or higher.	[8.5.0,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
H Improper Input Validation org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade `org.apache.tomcat:tomcat-catalina` to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.	[8.5.0,8.5.96)[9.0.0-M1,9.0.83)[10.1.0-M1,10.1.16)[11.0.0-M1,11.0.0-M10)
M Incomplete Cleanup org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error. How to fix Incomplete Cleanup? Upgrade `org.apache.tomcat:tomcat-catalina` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)
M Access Restriction Bypass org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice. The vulnerability is limited to the ROOT (default) web application. How to fix Access Restriction Bypass? Upgrade `org.apache.tomcat:tomcat-catalina` to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.	[8.5.0,8.5.93)[9.0.0-M1,9.0.80)[10.1.0-M1,10.1.13)[11.0.0-M1,11.0.0-M11)
M Unprotected Transport of Credentials org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the `RemoteIpFilter` with requests received from a reverse proxy via HTTP, in which the `X-Forwarded-Proto` header is set to `https`. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel. How to fix Unprotected Transport of Credentials? Upgrade `org.apache.tomcat:tomcat-catalina` to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.	[8.5.0,8.5.86)[9.0.0-M1,9.0.72)[10.1.0-M1,10.1.6)[11.0.0-M1,11.0.0-M3)
M Denial of Service (DoS) org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload. NOTE: After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability. How to fix Denial of Service (DoS)? Upgrade `org.apache.tomcat:tomcat-catalina` to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.	[8.5.0,8.5.85)[9.0.0-M1,9.0.71)[10.1.0-M1,10.1.5)[11.0.0-M1,11.0.0-M3)

Vulnerability

Vulnerable Version

Relative Path Traversal

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Relative Path Traversal via the URL normalization. An attacker can bypass security constraints and access restricted directories such as /WEB-INF/ and /META-INF/ by manipulating the request URI. If PUT requests are also enabled then malicious files could be uploaded leading to remote code execution.

Note:

Older, EOL versions may also be affected.
PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.

How to fix Relative Path Traversal?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.109, 10.1.45, 11.0.11 or higher.

[,9.0.109)[10.1.0-M1,10.1.45)[11.0.0-M1,11.0.11)

Improper Resource Shutdown or Release

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release due to the delayed cleaning of multipart upload temporary files. An attacker can cause a denial-of-service by sending crafted requests that create temporary copies of uploaded parts faster than the garbage collector clears them, leading to resource exhaustion.

Note: Successful exploitation depends on the JVM settings, the application memory usage, and application load.

How to fix Improper Resource Shutdown or Release?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.110, 10.1.47, 11.0.12 or higher.

[,9.0.110)[10.0.0-M1,10.1.47)[11.0.0-M1,11.0.12)

Allocation of Resources Without Limits or Throttling

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Authentication Bypass Using an Alternate Path or Channel

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Time-of-check Time-of-use (TOCTOU) Race Condition

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.

[8.5.0,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)

Time-of-check Time-of-use (TOCTOU) Race Condition

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.

[8.5.0,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)

Improper Input Validation

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper parsing of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a trailer header that exceeds the header size limit. This could lead to request smuggling when the server is behind a reverse proxy.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.96, 9.0.83, 10.1.16, 11.0.0-M10 or higher.

[8.5.0,8.5.96)[9.0.0-M1,9.0.83)[10.1.0-M1,10.1.16)[11.0.0-M1,11.0.0-M10)

Incomplete Cleanup

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)

Access Restriction Bypass

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Access Restriction Bypass. If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

The vulnerability is limited to the ROOT (default) web application.

How to fix Access Restriction Bypass?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.93, 9.0.80, 10.1.13, 11.0.0-M11 or higher.

[8.5.0,8.5.93)[9.0.0-M1,9.0.80)[10.1.0-M1,10.1.13)[11.0.0-M1,11.0.0-M11)

Unprotected Transport of Credentials

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Unprotected Transport of Credentials when using the RemoteIpFilter with requests received from a reverse proxy via HTTP, in which the X-Forwarded-Proto header is set to https. Session cookies do not include the secure attribute, so the user agent may transmit the session cookie over an insecure channel.

How to fix Unprotected Transport of Credentials?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3 or higher.

[8.5.0,8.5.86)[9.0.0-M1,9.0.72)[10.1.0-M1,10.1.6)[11.0.0-M1,11.0.0-M3)

Denial of Service (DoS)

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.

NOTE: After upgrading to the fixed version, the setFileCountMax() must be explicitly set to avoid this vulnerability.

How to fix Denial of Service (DoS)?

Upgrade org.apache.tomcat:tomcat-catalina to version 8.5.85, 9.0.71, 10.1.5, 11.0.0-M3 or higher.

[8.5.0,8.5.85)[9.0.0-M1,9.0.71)[10.1.0-M1,10.1.5)[11.0.0-M1,11.0.0-M3)

org.apache.tomcat:tomcat-catalina@8.5.81

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically