tomcat:tomcat-coyote 5.5.7-alpha

Direct Vulnerabilities

Known vulnerabilities in the tomcat:tomcat-coyote package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Improper Validation of Syntactic Correctness of Input tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers. How to fix Improper Validation of Syntactic Correctness of Input? A fix was pushed into the `master` branch but not yet published.	[0,)
M Information Exposure tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Information Exposure. The previous fix for `CVE-2007-3385` was incomplete. It did not consider the use of quotes or `%5C` within a cookie value which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. How to fix Information Exposure? There is no fixed version for `tomcat:tomcat-coyote`.	[4.1.0,)
H Access Restriction Bypass `tomcat:tomcat-coyote` Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.	[5.5.4,)
M Information Exposure tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Information Exposure. Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. How to fix Information Exposure? There is no fixed version for `tomcat:tomcat-coyote`.	[0,)
M Denial of Service (DoS) tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Denial of Service (DoS). Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. How to fix Denial of Service (DoS)? Upgrade `tomcat:tomcat-coyote` to version 5.5.24 or higher.	[3.3.2,5.5.24)
M Information Exposure tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat. Affected versions of this package are vulnerable to Information Exposure. Does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer." How to fix Information Exposure? Upgrade `tomcat:tomcat-coyote` to version 5.5.30 or higher.	[5.5,5.5.30)

Vulnerability

Vulnerable Version

Improper Validation of Syntactic Correctness of Input

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in the processing of HTTP/2 request headers. An attacker can cause unexpected behavior or potentially compromise the application by sending specially crafted HTTP/2 request headers.

How to fix Improper Validation of Syntactic Correctness of Input?

A fix was pushed into the master branch but not yet published.

[0,)

Information Exposure

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Information Exposure. The previous fix for CVE-2007-3385 was incomplete. It did not consider the use of quotes or %5C within a cookie value which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks.

How to fix Information Exposure?

There is no fixed version for tomcat:tomcat-coyote.

[4.1.0,)

Access Restriction Bypass

tomcat:tomcat-coyote Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

[5.5.4,)

Information Exposure

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Information Exposure. Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

How to fix Information Exposure?

There is no fixed version for tomcat:tomcat-coyote.

[0,)

Denial of Service (DoS)

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Denial of Service (DoS). Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.

How to fix Denial of Service (DoS)?

Upgrade tomcat:tomcat-coyote to version 5.5.24 or higher.

[3.3.2,5.5.24)

Information Exposure

tomcat:tomcat-coyote is a discontinued coyote plugin for Tomcat.

Affected versions of this package are vulnerable to Information Exposure. Does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."

How to fix Information Exposure?

Upgrade tomcat:tomcat-coyote to version 5.5.30 or higher.

[5.5,5.5.30)

tomcat:tomcat-coyote@5.5.7-alpha

latest version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically