org.apache.tomcat:tomcat-coyote 10.1.42

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
L Improper Authorization org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Authorization in `prepareRequestProtocol()`, which accepts HTTP/0.9 requests other than `GET`. A security constraint configured to allow `HEAD` requests to a URI but deny `GET` requests allows a user to bypass the constraint by sending an invalid `HEAD` request. How to fix Improper Authorization? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.113, 10.1.50, 11.0.15 or higher.	[,9.0.113)[10.1.0-M1,10.1.50)[11.0.0-M1,11.0.15)
C Improper Certificate Validation org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Certificate Validation in the SNI extension, when client certificate authentication relies exclusively on the Connector (and is not enforced in the web application). The hostname provided via the SNI extension may be different from the hostname in the HTTP host header field. How to fix Improper Certificate Validation? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.113, 10.1.50, 11.0.15 or higher.	[8.5.0,9.0.113)[10.0.0-M1,10.1.50)[11.0.0-M1,11.0.15)
H Improper Resource Shutdown or Release org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown. How to fix Improper Resource Shutdown or Release? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.108, 10.1.44, 11.0.10 or higher.	[9.0.0.M1,9.0.108)[10.1.0-M1,10.1.44)[11.0.0-M1,11.0.10)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.107, 10.1.43, 11.0.9 or higher.	[9.0.0.M1,9.0.107)[10.1.0-M1,10.1.43)[11.0.0-M1,11.0.9)

Vulnerability

Vulnerable Version

Improper Authorization

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Authorization in prepareRequestProtocol(), which accepts HTTP/0.9 requests other than GET. A security constraint configured to allow HEAD requests to a URI but deny GET requests allows a user to bypass the constraint by sending an invalid HEAD request.

How to fix Improper Authorization?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.113, 10.1.50, 11.0.15 or higher.

[,9.0.113)[10.1.0-M1,10.1.50)[11.0.0-M1,11.0.15)

Improper Certificate Validation

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Certificate Validation in the SNI extension, when client certificate authentication relies exclusively on the Connector (and is not enforced in the web application). The hostname provided via the SNI extension may be different from the hostname in the HTTP host header field.

How to fix Improper Certificate Validation?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.113, 10.1.50, 11.0.15 or higher.

[8.5.0,9.0.113)[10.0.0-M1,10.1.50)[11.0.0-M1,11.0.15)

Improper Resource Shutdown or Release

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

How to fix Improper Resource Shutdown or Release?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.108, 10.1.44, 11.0.10 or higher.

[9.0.0.M1,9.0.108)[10.1.0-M1,10.1.44)[11.0.0-M1,11.0.10)

Allocation of Resources Without Limits or Throttling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.107, 10.1.43, 11.0.9 or higher.

[9.0.0.M1,9.0.107)[10.1.0-M1,10.1.43)[11.0.0-M1,11.0.9)

org.apache.tomcat:tomcat-coyote@10.1.42

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically