org.apache.tomcat:tomcat-catalina 9.0.85 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-catalina package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Integer Overflow or Wraparound org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion. How to fix Integer Overflow or Wraparound? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.107, 10.1.43, 11.0.9 or higher.	[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Authentication Bypass Using an Alternate Path or Channel org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how `PreResources` or `PostResources` handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints. How to fix Authentication Bypass Using an Alternate Path or Channel? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.106, 10.1.42, 11.0.8 or higher.	[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)
M Improper Handling of Case Sensitivity org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the `pathInfo` component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the `pathInfo` component by exploiting this vulnerability on a case insensitive file system. How to fix Improper Handling of Case Sensitivity? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.105, 10.1.41, 11.0.7 or higher.	[9.0.0.M1,9.0.105)[10.1.0-M1,10.1.41)[11.0.0-M1,11.0.7)
M Improper Neutralization org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Improper Neutralization in the `RewriteValve` class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving `;` or `?` characters. Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released. How to fix Improper Neutralization? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.104, 10.1.40, 11.0.6 or higher.	[9.0.76,9.0.104)[10.1.10,10.1.40)[11.0.0-M2,11.0.6)
H Path Equivalence org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Path Equivalence in the `doPut()` function in `DefaultServlet.java`, which insecurely replaces path separators with `.`s. If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial `PUT` functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial `PUT`. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code. How to fix Path Equivalence? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.99, 10.1.35, 11.0.3 or higher.	[9.0.0.M1,9.0.99)[10.1.0-M1,10.1.35)[11.0.0-M1,11.0.3)
C Time-of-check Time-of-use (TOCTOU) Race Condition org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled. In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat : running on Java 8 or Java 11: the system property `sun.io.useCanonCaches` must be explicitly set to false (it defaults to true) running on Java 17: the system property `sun.io.useCanonCaches`, if set, must be set to false (it defaults to false) running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.98, 10.1.34, 11.0.2 or higher.	[9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
C Time-of-check Time-of-use (TOCTOU) Race Condition org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed. This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously. Note: The default `readonly` initialization parameter value of `true` is not vulnerable. This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability; In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat : running on Java 8 or Java 11: the system property `sun.io.useCanonCaches` must be explicitly set to false (it defaults to true) running on Java 17: the system property `sun.io.useCanonCaches`, if set, must be set to false (it defaults to false) running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) How to fix Time-of-check Time-of-use (TOCTOU) Race Condition? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.98, 10.1.34, 11.0.2 or higher.	[9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)
C Uncaught Exception org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations. Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication `ServerAuthContext` component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition. Note: This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication `ServerAuthContext` component that behaves in this way. According to the maintainers, no such cases are known. How to fix Uncaught Exception? Upgrade `org.apache.tomcat:tomcat-catalina` to version 9.0.96, 10.1.31, 11.0.0 or higher.	[9.0.0.M1,9.0.96)[10.1.0-M1,10.1.31)[11.0.0-M1,11.0.0)

Vulnerability

Vulnerable Version

Integer Overflow or Wraparound

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Integer Overflow or Wraparound via file uploads through servlet containers. An attacker can craft malicious multipart/form-data requests with specially crafted Content-Length headers that trigger integer overflow vulnerabilities, potentially bypassing file size restrictions and causing memory exhaustion.

How to fix Integer Overflow or Wraparound?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.107, 10.1.43, 11.0.9 or higher.

[9.0.0.M1,9.0.107)[10.0.0-M1,10.1.43)[11.0.0-M1,11.0.9)

Allocation of Resources Without Limits or Throttling

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the uniform handling of request parameters and parts in multipart requests. An attacker can craft a malicious request with a large number of parts, which can lead to a Denial of Service.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Authentication Bypass Using an Alternate Path or Channel

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel due to how PreResources or PostResources handle pre-resources or post-resources mounted at non-root locations. An attacker can gain unauthorized access to protected resources by crafting requests to unexpected paths that bypass intended security constraints.

How to fix Authentication Bypass Using an Alternate Path or Channel?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.106, 10.1.42, 11.0.8 or higher.

[,9.0.106)[10.1.0-M1,10.1.42)[11.0.0-M1,11.0.8)

Improper Handling of Case Sensitivity

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity in the pathInfo component of a URI mapped to the CGI servlet. An attacker can bypass security constraints that apply to the pathInfo component by exploiting this vulnerability on a case insensitive file system.

How to fix Improper Handling of Case Sensitivity?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.105, 10.1.41, 11.0.7 or higher.

[9.0.0.M1,9.0.105)[10.1.0-M1,10.1.41)[11.0.0-M1,11.0.7)

Improper Neutralization

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Improper Neutralization in the RewriteValve class, which handles rewrite rules. If rewrite rules are configured to enforce security constraints, those security constraints can be bypassed in some cases by sending a malicious request involving ; or ? characters.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

How to fix Improper Neutralization?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.104, 10.1.40, 11.0.6 or higher.

[9.0.76,9.0.104)[10.1.10,10.1.40)[11.0.0-M2,11.0.6)

Path Equivalence

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Path Equivalence in the doPut() function in DefaultServlet.java, which insecurely replaces path separators with .s.

If the Default Servlet is configured with writes enabled - which it is not by default - a user can exploit Tomcat's partial PUT functionality to achieve code execution via deserialization. The target URL containing sensitive uploaded files must be a sub-directory of a target URL for public uploads, and the malicious user must know the names of the target sensitive files, which are also uploaded using a partial PUT. If both attacker and target application are using the default storage location and it contains a library that deserializes untrusted code, the attacker can trigger the execution of malicious code.

How to fix Path Equivalence?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.99, 10.1.35, 11.0.3 or higher.

[9.0.0.M1,9.0.99)[10.1.0-M1,10.1.35)[11.0.0-M1,11.0.3)

Time-of-check Time-of-use (TOCTOU) Race Condition

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition due to imcomplete mitigation advice associated with CVE-2024-50379 in the file-handling process with servlet write enabled.

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.

[9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)

Time-of-check Time-of-use (TOCTOU) Race Condition

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition. On case insensitive file systems, when the default servlet is write-enabled, an attacker can upload a malicious file containing executable code and bypass case sensitivity checks, causing it to be treated as a JSP and executed.

This vector has been observed when the application is under load and read and upload operations are performed on the same file simultaneously.

Note:

The default readonly initialization parameter value of true is not vulnerable.

This is related to CVE-2024-56337 where additional configurations are defined to fully mitigate this issue as upgrading to the fixed version doesn't fully mitigate this vulnerability;

In addition to upgrading to the fixed version, users are advised to apply the following mitigations, depending on which version of Java they are using with Tomcat :

running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)

How to fix Time-of-check Time-of-use (TOCTOU) Race Condition?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.98, 10.1.34, 11.0.2 or higher.

[9.0.0.M1,9.0.98)[10.1.0-M1,10.1.34)[11.0.0-M1,11.0.2)

Uncaught Exception

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Uncaught Exception due to the custom Jakarta Authentication ServerAuthContext component which may throw an exception during the authentication process without setting an HTTP status to indicate failure. An attacker can gain unauthorized access by exploiting this unchecked error condition.

Note:

This is only exploitable if Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that behaves in this way. According to the maintainers, no such cases are known.

How to fix Uncaught Exception?

Upgrade org.apache.tomcat:tomcat-catalina to version 9.0.96, 10.1.31, 11.0.0 or higher.

[9.0.0.M1,9.0.96)[10.1.0-M1,10.1.31)[11.0.0-M1,11.0.0)

org.apache.tomcat:tomcat-catalina@9.0.85 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?