Homepage

org.apache.tomcat:tomcat-coyote@9.0.58 vulnerabilities

  • latest version

    11.0.11

  • latest non vulnerable version

    11.0.11

  • first published

    15 years ago

  • latest version published

    16 days ago

  • licenses detected

  • package registry

    View on Maven Central Repository
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Improper Resource Shutdown or Release

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

    How to fix Improper Resource Shutdown or Release?

    Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.108, 10.1.44, 11.0.10 or higher.

    [9.0.0.M1,9.0.108)[10.1.0-M1,10.1.44)[11.0.0-M1,11.0.10)
    • H
    Allocation of Resources Without Limits or Throttling

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.107, 10.1.43, 11.0.9 or higher.

    [9.0.0.M1,9.0.107)[10.1.0-M1,10.1.43)[11.0.0-M1,11.0.9)
    • H
    Allocation of Resources Without Limits or Throttling

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the unwrap() function in SecureNio2Channel class, during a TLS handshake. Under certain configurations using TLS 1.3, an attacker can trigger an OutOfMemoryError.

    How to fix Allocation of Resources Without Limits or Throttling?

    Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

    [9.0.13,9.0.90)[10.1.0-M1,10.1.25)[11.0.0-M1,11.0.0-M21)
    • H
    Insufficient Session Expiration

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to Insufficient Session Expiration due to an infinite timeout being assigned to an open connection improperly, in http2/Stream.java. An attacker can force this situation by sending an HTTP/2 stream with excessive headers, causing an out-of-memory error or exhausting maxConnections.

    How to fix Insufficient Session Expiration?

    Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.90, 10.1.25, 11.0.0-M21 or higher.

    [,9.0.90)[10.1.0-M1,10.1.25)[11.0.0-M1,11.0.0-M21)
    • H
    Denial of Service (DoS)

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to Denial of Service (DoS) when processing a crafted HTTP/2 request. If the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.

    How to fix Denial of Service (DoS)?

    Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.99, 9.0.86, 10.1.19, 1.0.0-M17 or higher.

    [8.5.0,8.5.99)[9.0.0-M1,9.0.86)[10.1.0-M1,10.1.19)[11.0.0-M1,1.0.0-M17)
    • M
    Improper Input Validation

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

    How to fix Improper Input Validation?

    Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

    [8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)
    • H
    Denial of Service (DoS)

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to Denial of Service (DoS) in the implementation of the HTTP/2 protocol. An attacker can cause a denial of service (including via DDoS) by rapidly resetting many streams through request cancellation.

    How to fix Denial of Service (DoS)?

    Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

    [,8.5.94)[9.0.0,9.0.81)[10.0.0,10.1.14)[11.0.0-M3,11.0.0-M12)
    • L
    HTTP Request Smuggling

    org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

    Affected versions of this package are vulnerable to HTTP Request Smuggling when improper requests containing an invalid Content-Length header are not being properly rejected.

    Note: Exploiting this vulnerability is also possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.

    How to fix HTTP Request Smuggling?

    Upgrade org.apache.tomcat:tomcat-coyote to version 8.5.53, 9.0.68, 10.0.27, 10.1.1 or higher.

    [8.5.0,8.5.53)[9.0.0-M1,9.0.68)[10.0.0-M1,10.0.27)[10.1.0-M1,10.1.1)
    Go back to all versions of this package