Insufficient Technical Documentation Affecting org.apache.tomcat:tomcat-catalina Open this link in a new tab package, versions [9.0.13,]


0.0
low
  • Attack Complexity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-JAVA-ORGAPACHETOMCAT-2813806

  • published

    11 May 2022

  • disclosed

    11 May 2022

  • credit

    Unknown

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

org.apache.tomcat:tomcat-catalina is a Tomcat Servlet Engine Core Classes and Standard implementations.

Affected versions of this package are vulnerable to Insufficient Technical Documentation. The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Note: The documentation was updated in version 9.0.63, which is not in maven yet.