cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score CVE-2024-56337,https://securityvulnerability.io/vulnerability/CVE-2024-56337,Race Condition Vulnerability in Apache Tomcat Affects Multiple Versions,"CVE-2024-56337 is a Time-of-Check to Time-of-Use (TOCTOU) race condition vulnerability affecting Apache Tomcat across several versions. The vulnerability arises when Tomcat is run on a case-insensitive file system with the default servlet write capability enabled. Users may be exposed if they do not properly configure their systems as the initial workaround for CVE-2024-50379 was insufficient. Specifically, additional configuration is vital for systems utilizing Java 8 or Java 11, where the system property 'sun.io.useCanonCaches' needs to be set to false. For Java 17, the same property, if originally set, must also be false, while Tomcat versions 11.0.3, 10.1.35, and 9.0.99 and higher will check this setting before allowing default servlet write access on case-insensitive file systems, automatically applying the appropriate configurations where applicable.",Apache,Apache Tomcat,9.8,CRITICAL,0.0004299999854993075,false,,true,false,true,2025-01-27T16:33:56.000Z,,true,true,2024-12-26T02:52:02.176Z,2024-12-20T16:15:00.000Z,6396 CVE-2024-54677,https://securityvulnerability.io/vulnerability/CVE-2024-54677,Uncontrolled Resource Consumption in Apache Tomcat Affects Performance,"The uncontrolled resource consumption vulnerability found in the examples web application of Apache Tomcat allows attackers to potentially exhaust server resources, leading to a denial of service. This affects multiple versions of Apache Tomcat, including those as recent as 11.0.1. To mitigate this issue, users are strongly encouraged to upgrade to the patched versions 11.0.2, 10.1.34, or 9.0.98 as soon as possible.",Apache,Apache Tomcat,5.3,MEDIUM,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-12-17T13:15:00.000Z,0 CVE-2024-50379,https://securityvulnerability.io/vulnerability/CVE-2024-50379,Race Condition Vulnerability in Apache Tomcat Leading to Remote Code Execution,"The vulnerability allows an attacker to potentially execute arbitrary code on systems running Apache Tomcat, specifically when the default servlet is enabled for write access, and the system is utilizing case insensitive file systems. This occurs due to a timing issue during JSP compilation, which results in a time-of-check time-of-use (TOCTOU) race condition. The affected versions include Apache Tomcat from 11.0.0-M1 to 11.0.1, 10.1.0-M1 to 10.1.33, and 9.0.0.M1 to 9.0.97. To mitigate this vulnerability, it is crucial for users to upgrade to the patched versions: 11.0.2, 10.1.34, or 9.0.98.",Apache,Apache Tomcat,9.8,CRITICAL,0.0004299999854993075,false,,true,false,true,2024-12-20T14:24:10.000Z,true,true,true,2024-12-24T00:52:01.825Z,2024-12-17T13:15:00.000Z,9063 CVE-2024-52318,https://securityvulnerability.io/vulnerability/CVE-2024-52318,Incorrect Object Recycling and Reuse Vulnerability in Apache Tomcat,"Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.",Apache,Apache Tomcat,6.1,MEDIUM,0.0004299999854993075,false,,false,false,true,2024-11-21T15:38:48.000Z,true,false,false,,2024-11-18T13:15:00.000Z,0 CVE-2024-52316,https://securityvulnerability.io/vulnerability/CVE-2024-52316,Unchecked Error Condition Vulnerability Affects Apache Tomcat,"This vulnerability within Apache Tomcat arises from the potential for authentication bypass when a custom Jakarta Authentication ServerAuthContext encounters an exception. If this exception occurs without a corresponding HTTP status indicating failure, the system may erroneously allow the user to pass through authentication checks. Currently, there are no known Jakarta Authentication components that exhibit such behavior, highlighting the importance of proper configuration to prevent unauthorized access. Users of affected versions are strongly advised to upgrade to the latest secure releases to mitigate this risk.",Apache,Apache Tomcat,9.8,CRITICAL,0.0004299999854993075,false,,false,false,true,2024-11-20T19:22:50.000Z,true,false,false,,2024-11-18T12:15:00.000Z,0 CVE-2024-52317,https://securityvulnerability.io/vulnerability/CVE-2024-52317,Incorrect Object Recycling Vulnerability Affects Apache Tomcat Versions,"Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.",Apache,Apache Tomcat,6.5,MEDIUM,0.0004299999854993075,false,,false,false,true,2024-11-21T15:20:42.000Z,true,false,false,,2024-11-18T12:15:00.000Z,0 CVE-2024-38286,https://securityvulnerability.io/vulnerability/CVE-2024-38286,Allocation of Resources Without Limits or Throttling Vulnerability Affects Multiple Apache Tomcat Versions,"A resource allocation vulnerability exists in Apache Tomcat, allowing attackers to exploit the TLS handshake process. This exploitation can lead to an OutOfMemoryError under specific configurations on any platform, potentially affecting the availability of the application. The issue impacts several versions of Apache Tomcat, prompting users to update to secure versions 11.0.0-M21, 10.1.25, or 9.0.90 to mitigate this risk. Older, unsupported versions of the software may also be vulnerable.",Apache,Apache Tomcat,8.6,HIGH,0.0004299999854993075,false,,false,false,false,,,false,false,,2024-11-07T07:37:32.224Z,0 CVE-2024-34750,https://securityvulnerability.io/vulnerability/CVE-2024-34750,"Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption Vulnerability Affects Apache Tomcat","The vulnerability CVE-2024-34750 affects Apache Tomcat, an open-source server, and can be exploited to overload the server's computing resources, leading to a Denial of Service (DoS) attack. The vulnerability affects various versions of Apache Tomcat, and it was discovered directly by the Tomcat security team. The issue stems from an improper handling of HTTP/2 streams, resulting in an incorrect infinite timeout, which allows connections to remain open when they should have been closed. The impact of this vulnerability can be severe, causing service slowdowns or outages. It is recommended to update Tomcat to the patched versions to mitigate the risk. There is a high urgency in addressing this vulnerability due to its potential impact on service availability.",Apache,Apache Tomcat,,,0.0004299999854993075,false,,true,false,true,2024-07-05T18:19:39.000Z,,false,false,,2024-07-03T20:15:00.000Z,0 CVE-2024-23672,https://securityvulnerability.io/vulnerability/CVE-2024-23672,Incomplete Cleanup Vulnerability in Apache Tomcat Could Lead to Denial of Service,"Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. ",Apache,Apache Tomcat,,,0.0004400000034365803,false,,false,false,false,,,false,false,,2024-03-13T15:48:42.610Z,0 CVE-2024-24549,https://securityvulnerability.io/vulnerability/CVE-2024-24549,Apache Tomcat Denial of Service Vulnerability Affects Multiple Versions,"Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. ",Apache,Apache Tomcat,,,0.00044999999227002263,false,,false,false,true,2024-12-09T13:59:07.000Z,true,false,false,,2024-03-13T15:46:53.085Z,0 CVE-2024-21733,https://securityvulnerability.io/vulnerability/CVE-2024-21733,Apache Tomcat Vulnerability: Generation of Error Message Containing Sensitive Information,"A vulnerability has been identified in Apache Tomcat that allows for the generation of error messages containing sensitive information. This susceptibility affects versions 8.5.7 through 8.5.63 and 9.0.0-M11 through 9.0.43 of Apache Tomcat. It can potentially expose critical information that may assist an attacker in further compromising the system. Users are advised to upgrade to versions 8.5.64 or later, or 9.0.44 or later, which implement necessary security fixes to mitigate this issue.",Apache,Apache Tomcat,5.3,MEDIUM,0.006920000072568655,false,,true,false,true,2024-02-02T04:10:02.000Z,true,true,false,,2024-01-19T10:29:04.694Z,5574 CVE-2023-46589,https://securityvulnerability.io/vulnerability/CVE-2023-46589,Apache Tomcat: HTTP request smuggling via malformed trailer headers,"An improper input validation vulnerability has been identified in Apache Tomcat, affecting several versions. This flaw arises from incorrect parsing of HTTP trailer headers, which can allow a single request to be misinterpreted as multiple requests. As a result, this can lead to potential request smuggling issues when the server is situated behind a reverse proxy. It is crucial for users to update to the fixed versions—11.0.0-M11 and onwards, 10.1.16 and onwards, 9.0.83 and onwards, or 8.5.96 and onwards—to mitigate this risk.",Apache,Apache Tomcat,7.5,HIGH,0.005960000213235617,false,,false,false,false,,,false,false,,2023-11-28T16:15:00.000Z,0 CVE-2023-45648,https://securityvulnerability.io/vulnerability/CVE-2023-45648,Tomcat vulnerable to Improper Input Validation attack,"Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. ",Apache,Apache Tomcat,5.3,MEDIUM,0.004470000043511391,false,,false,false,false,,,false,false,,2023-10-10T19:15:00.000Z,0 CVE-2023-42794,https://securityvulnerability.io/vulnerability/CVE-2023-42794,Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows,"An incomplete cleanup vulnerability in the internal fork of Commons FileUpload within Apache Tomcat affects versions 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93. If a web application opens a stream for an uploaded file without closing it, the associated file remains on disk, potentially leading to a denial-of-service condition when disk space is exhausted. Users are advised to upgrade to Apache Tomcat versions 9.0.81 or 8.5.94 to mitigate this issue.",Apache,Apache Tomcat,7.5,HIGH,0.0007999999797903001,false,,false,false,false,,,false,false,,2023-10-10T18:15:00.000Z,0 CVE-2023-42795,https://securityvulnerability.io/vulnerability/CVE-2023-42795,Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests,"Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. ",Apache,Apache Tomcat,5.3,MEDIUM,0.014329999685287476,false,,false,false,false,,,false,false,,2023-10-10T18:15:00.000Z,0 CVE-2023-41081,https://securityvulnerability.io/vulnerability/CVE-2023-41081,Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request,"The mod_jk component of Apache Tomcat Connectors allows for an authentication bypass under specific configuration conditions. If 'JkOptions +ForwardDirectories' is used without providing explicit mounts for all proxied requests, mod_jk defaults to an implicit mapping. This can inadvertently expose the status worker and compromise security constraints set in Apache HTTP Server. Users are advised to upgrade to mod_jk version 1.2.49 or later, where the problematic implicit mapping functionality has been eliminated, ensuring all mappings require explicit configuration.",Apache,Apache Tomcat Connectors,7.5,HIGH,0.002300000051036477,false,,false,false,false,,,false,false,,2023-09-13T10:15:00.000Z,0 CVE-2023-41080,https://securityvulnerability.io/vulnerability/CVE-2023-41080,Apache Tomcat: Open redirect with FORM authentication,"URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application.",Apache,Apache Tomcat,6.1,MEDIUM,0.005080000031739473,false,,false,false,true,2023-08-26T15:11:31.000Z,true,false,false,,2023-08-25T21:15:00.000Z,0 CVE-2023-34981,https://securityvulnerability.io/vulnerability/CVE-2023-34981,Apache Tomcat: AJP response header mix-up,"A regression in the security fix related to a previous bug within Apache Tomcat has introduced a vulnerability that can lead to information disclosure. Specifically, when the response lacks HTTP headers, the AJP SEND_HEADERS message is not sent. This omission allows at least one AJP proxy (mod_proxy_ajp) to unintentionally reuse the response headers from prior requests. This misbehavior could result in sensitive information being exposed, compromising the server's overall security.",Apache,Apache Tomcat,7.5,HIGH,0.001979999942705035,false,,false,false,false,,,false,false,,2023-06-21T11:15:00.000Z,0 CVE-2023-28709,https://securityvulnerability.io/vulnerability/CVE-2023-28709,Apache Tomcat: Fix for CVE-2023-24998 is incomplete,"The vulnerability arises due to an incomplete fix for a prior issue in Apache Tomcat, affecting certain versions where custom HTTP connector settings have been configured. This flaw allows attackers to exploit bypass mechanisms for the maximum number of request parameters, permitting them to circumvent the restrictions imposed on uploaded request parts. An attacker could utilize this behavior to potentially launch a denial of service attack by submitting crafted requests that exploit the parameter limits, leading to service disruption.",Apache,Apache Tomcat,7.5,HIGH,0.016699999570846558,false,,false,false,false,,,false,false,,2023-05-22T11:15:00.000Z,0 CVE-2023-28708,https://securityvulnerability.io/vulnerability/CVE-2023-28708,Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations," When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. ",Apache,Apache Tomcat,4.3,MEDIUM,0.0013299999991431832,false,,false,false,false,,,false,false,,2023-03-22T11:15:00.000Z,0 CVE-2023-24998,https://securityvulnerability.io/vulnerability/CVE-2023-24998,"Apache Commons FileUpload, Apache Tomcat: FileUpload DoS with excessive parts","The Apache Commons FileUpload before version 1.5 is susceptible to a Denial of Service attack due to its failure to restrict the number of parts processed in a request. This oversight allows an attacker to exploit the system by making malicious uploads or sending a series of uploads, potentially overwhelming the application. Additionally, the new configuration option, FileUploadBase#setFileCountMax, which addresses this issue by limiting the number of request parts, is not enabled by default and requires explicit configuration to safeguard against these attacks.",Apache,"Apache Commons Fileupload,Apache Tomcat",7.5,HIGH,0.011350000277161598,false,,false,false,true,2023-03-29T01:36:29.000Z,true,false,false,,2023-02-20T16:15:00.000Z,0 CVE-2022-45143,https://securityvulnerability.io/vulnerability/CVE-2022-45143,Apache Tomcat: JsonErrorReportValve escaping,"The JsonErrorReportValve in Apache Tomcat versions 8.5.83, 9.0.40 to 9.0.68, and 10.1.0-M1 to 10.1.1 exposes a vulnerability due to improper handling of user-provided data. Specifically, the system fails to escape values for the type, message, or description, allowing attackers to manipulate JSON output. This flaw could potentially be exploited to compromise the integrity of the application by injecting malicious data, leading to variable outcome in how information is rendered in JSON format.",Apache,Apache Tomcat,7.5,HIGH,0.002749999985098839,false,,false,false,false,,,false,false,,2023-01-03T18:12:28.351Z,0 CVE-2022-42252,https://securityvulnerability.io/vulnerability/CVE-2022-42252,Apache Tomcat request smuggling via malformed content-length,"If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.",Apache,Apache Tomcat,7.5,HIGH,0.002400000113993883,false,,false,false,false,,,false,false,,2022-11-01T00:00:00.000Z,0 CVE-2021-43980,https://securityvulnerability.io/vulnerability/CVE-2021-43980,Apache Tomcat: Information disclosure,"The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.",Apache,Apache Tomcat,3.7,LOW,0.0014900000533089042,false,,false,false,false,,,false,false,,2022-09-28T00:00:00.000Z,0 CVE-2022-34305,https://securityvulnerability.io/vulnerability/CVE-2022-34305,XSS in examples web application,"In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.",Apache,Apache Tomcat,6.1,MEDIUM,0.001560000004246831,false,,false,false,false,,,false,false,,2022-06-23T10:30:16.000Z,0