org.apache.tomcat:tomcat-coyote 9.0.93 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Improper Resource Shutdown or Release org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown. How to fix Improper Resource Shutdown or Release? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.108, 10.1.44, 11.0.10 or higher.	[9.0.0.M1,9.0.108)[10.1.0-M1,10.1.44)[11.0.0-M1,11.0.10)
H Allocation of Resources Without Limits or Throttling org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.107, 10.1.43, 11.0.9 or higher.	[9.0.0.M1,9.0.107)[10.1.0-M1,10.1.43)[11.0.0-M1,11.0.9)
H Improper Cleanup on Thrown Exception org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception when handling failed HTTP/2 requests with certain invalid HTTP priority headers. An attacker can trigger an `OutOfMemoryException` by sending a large number of malicious requests. Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released. How to fix Improper Cleanup on Thrown Exception? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.104, 10.1.40, 11.0.6 or higher.	[9.0.76,9.0.104)[10.1.10,10.1.40)[11.0.0-M2,11.0.6)
M Inadequate Encryption Strength org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser. Affected versions of this package are vulnerable to Inadequate Encryption Strength due to incorrect recycling of the request and response used by HTTP/2 requests. An attacker can cause a mix-up of requests and/or responses between users by exploiting the reuse of incorrect objects. How to fix Inadequate Encryption Strength? Upgrade `org.apache.tomcat:tomcat-coyote` to version 9.0.96, 10.1.31, 11.0.0 or higher.	[9.0.93,9.0.96)[10.1.28,10.1.31)[11.0.0-M24,11.0.0)

Vulnerability

Vulnerable Version

Improper Resource Shutdown or Release

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release via the HTTP/2 Handler. An attacker can cause a denial of service by sending specially crafted requests that exploit improper handling of resource shutdown.

How to fix Improper Resource Shutdown or Release?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.108, 10.1.44, 11.0.10 or higher.

[9.0.0.M1,9.0.108)[10.1.0-M1,10.1.44)[11.0.0-M1,11.0.10)

Allocation of Resources Without Limits or Throttling

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via HTTP/2 multiplexing feature. an attacker can trigger resource exhaustion by creating excessive HTTP/2 streams within a single TCP connection.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.107, 10.1.43, 11.0.9 or higher.

[9.0.0.M1,9.0.107)[10.1.0-M1,10.1.43)[11.0.0-M1,11.0.9)

Improper Cleanup on Thrown Exception

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Improper Cleanup on Thrown Exception when handling failed HTTP/2 requests with certain invalid HTTP priority headers. An attacker can trigger an OutOfMemoryException by sending a large number of malicious requests.

Note: The project maintainers note that version 9.0.103 also fixes the vulnerability but was never officially released.

How to fix Improper Cleanup on Thrown Exception?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.104, 10.1.40, 11.0.6 or higher.

[9.0.76,9.0.104)[10.1.10,10.1.40)[11.0.0-M2,11.0.6)

Inadequate Encryption Strength

org.apache.tomcat:tomcat-coyote is a Tomcat Connectors and HTTP parser.

Affected versions of this package are vulnerable to Inadequate Encryption Strength due to incorrect recycling of the request and response used by HTTP/2 requests. An attacker can cause a mix-up of requests and/or responses between users by exploiting the reuse of incorrect objects.

How to fix Inadequate Encryption Strength?

Upgrade org.apache.tomcat:tomcat-coyote to version 9.0.96, 10.1.31, 11.0.0 or higher.

[9.0.93,9.0.96)[10.1.28,10.1.31)[11.0.0-M24,11.0.0)

org.apache.tomcat:tomcat-coyote@9.0.93 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?