org.apache.tomcat:tomcat 8.5.93 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.apache.tomcat:tomcat package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
M Incomplete Cleanup org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error. How to fix Incomplete Cleanup? Upgrade `org.apache.tomcat:tomcat` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)
M Improper Input Validation org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of `HTTP` trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy. How to fix Improper Input Validation? Upgrade `org.apache.tomcat:tomcat` to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.	[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)
M Incomplete Cleanup org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. Affected versions of this package are vulnerable to Incomplete Cleanup in the internal fork of `Commons FileUpload` package. An attacker can potentially cause a denial of service on Windows by opening a stream for an uploaded file but failing to close the stream. This results in the file never being deleted from the disk, creating the possibility of an eventual denial of service due to the disk being full. Note: This vulnerability is exploitable on Windows operating systems. How to fix Incomplete Cleanup? Upgrade `org.apache.tomcat:tomcat` to version 8.5.94, 9.0.81 or higher.	[8.5.85,8.5.94)[9.0.70,9.0.81)

Vulnerability

Vulnerable Version

Incomplete Cleanup

org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.

Affected versions of this package are vulnerable to Incomplete Cleanup when recycling various internal objects. An error could cause some parts of the recycling process to be skipped, leading to information leaking from the current request/response to the next. An attacker can gain unauthorised access to sensitive information by exploiting this error.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat:tomcat to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)

Improper Input Validation

org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.

Affected versions of this package are vulnerable to Improper Input Validation due to the improper handling of HTTP trailer headers. An attacker can manipulate the server into treating a single request as multiple requests by sending a specially crafted, invalid trailer header. This could lead to request smuggling when the server is behind a reverse proxy.

How to fix Improper Input Validation?

Upgrade org.apache.tomcat:tomcat to version 8.5.94, 9.0.81, 10.1.14, 11.0.0-M12 or higher.

[8.5.0,8.5.94)[9.0.0-M1,9.0.81)[10.1.0-M1,10.1.14)[11.0.0-M1,11.0.0-M12)

Incomplete Cleanup

org.apache.tomcat:tomcat is an implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies.

Affected versions of this package are vulnerable to Incomplete Cleanup in the internal fork of Commons FileUpload package. An attacker can potentially cause a denial of service on Windows by opening a stream for an uploaded file but failing to close the stream. This results in the file never being deleted from the disk, creating the possibility of an eventual denial of service due to the disk being full.

Note:

This vulnerability is exploitable on Windows operating systems.

How to fix Incomplete Cleanup?

Upgrade org.apache.tomcat:tomcat to version 8.5.94, 9.0.81 or higher.

[8.5.85,8.5.94)[9.0.70,9.0.81)

org.apache.tomcat:tomcat@8.5.93 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

How to fix?