Version 11.0.1
tomcat-coyote
Tomcat Connectors and HTTP parser
Install Instructions
mvn install tomcat-coyote
Language Java
Package URL (purl) pkg:maven/org.apache.tomcat:tomcat-coyote@11.0.1
Find tomcat-coyote vulnerabilities in your supply chain.
tomcat-coyote Vulnerabilities
Sort by
CVE (Latest)
CVE (Latest)
-
CVE (Latest)
-
CVE (Oldest)
-
CVSS Score (Highest)
-
CVSS Score (Lowest)
CVE  |
CVSS Score |
CWE(s) |
EPSS Score |
EPSS % |
Impacted Versions |
|---|---|---|---|---|---|
| CVE-2011-3190 | High 7.3 | CWE-264 | 0.01408 | 0.86169 |
|
| CVE-2011-3375 | Medium 5.3 | CWE-200 | 0.0025 | 0.64038 |
|
| CVE-2012-2733 | Medium 5.3 | CWE-20 | 0.04484 | 0.92354 |
|
| CVE-2012-3544 | Medium 5.3 | CWE-20 | 0.08407 | 0.94399 |
|
| CVE-2012-4534 | Low 3.7 | CWE-399 | 0.1276 | 0.95454 |
|
| CVE-2013-2185 | High 7.5 | CWE-20, CWE-434 | 0.00345 | 0.7134 |
|
| CVE-2013-4286 | Medium 5.4 | CWE-20 | 0.00525 | 0.76783 |
|
| CVE-2013-4322 | Medium 4.3 | CWE-20 | 0.88301 | 0.98941 |
|
| CVE-2013-4444 | High 7.3 | CWE-94 | 0.08074 | 0.94297 |
|
| CVE-2014-0050 | High 7.5 | CWE-264 | 0.41599 | 0.97351 |
|
| CVE-2014-0075 | Medium 5.3 | CWE-189 | 0.0639 | 0.93607 |
|
| CVE-2014-0099 | Medium 4.3 | CWE-189 | 0.00463 | 0.75161 |
|
| CVE-2016-6816 | High 7.1 | CWE-20, CWE-200 | 0.00786 | 0.81271 |
|
| CVE-2017-5647 | High 7.5 | CWE-200 | 0.00283 | 0.68202 |
|
| CVE-2017-6056 | High 7.5 | CWE-835, CWE-399, CWE-19 | 0.01341 | 0.85799 |
|
| CVE-2020-1938 | High 9.8 | CWE-20, CWE-269 | 0.97422 | 0.99969 |
|
| CVE-2011-0534 | Medium 5.3 | CWE-399 | 0.01031 | 0.83662 |
|
| CVE-2011-1475 | Medium 5.3 | CWE-20 | 0.00548 | 0.7729 |
|
| CVE-2011-2526 | Medium 5.3 | CWE-20 | 0.00046 | 0.18904 |
|
| CVE-2010-2227 | Medium 6.5 | CWE-119 | 0.68921 | 0.98165 |
|
| CVE-2022-42252 | High 7.5 | CWE-20, CWE-444 | 0.0024 | 0.61513 |
|
| CVE-2023-44487 | High 7.5 | CWE-400 | 0.81393 | 0.9859 |
|
| CVE-2024-24549 | High 7.5 | CWE-20 | 0.00045 | 0.15737 |
|
| CVE-2023-24998 | High 7.5 | CWE-770 | 0.01602 | 0.87041 |
|
| CVE-2023-28709 | High 7.5 | CWE-193 | 0.02455 | 0.8971 |
|
| CVE-2016-6817 | High 7.5 | CWE-119, CWE-400 | 0.01651 | 0.87225 |
|
| CVE-2017-5650 | High 7.5 | CWE-404, CWE-399 | 0.6356 | 0.97999 |
|
| CVE-2017-5651 | High 9.8 | CWE-19 | 0.00613 | 0.78521 |
|
| CVE-2019-0199 | High 7.5 | CWE-400 | 0.23425 | 0.96582 |
|
| CVE-2019-10072 | High 7.5 | CWE-667 | 0.1698 | 0.9604 |
|
| CVE-2020-11996 | High 7.5 | CWE-400 | 0.00962 | 0.8308 |
|
| CVE-2020-13943 | Medium 4.3 | 0.00116 | 0.46138 |
|
|
| CVE-2020-17527 | High 7.5 | CWE-200 | 0.00255 | 0.64482 |
|
| CVE-2019-17569 | Medium 4.8 | CWE-444 | 0.0035 | 0.71545 |
|
| CVE-2020-1935 | Medium 4.8 | CWE-444 | 0.00732 | 0.80563 |
|
| CVE-2016-8745 | High 7.5 | CWE-200, CWE-388 | 0.01456 | 0.8641 |
|
| CVE-2014-0095 | Medium 5 | CWE-20 | 0.10655 | 0.95036 |
|
| CVE-2016-8747 | High 7.5 | CWE-200 | 0.00333 | 0.70804 |
|
| CVE-2023-34981 | High 7.5 | CWE-732 | 0.00281 | 0.68023 |
|
| CVE-2024-34750 | High 7.5 | CWE-755, CWE-400 | 0.00043 | 0.10859 |
|
| CVE-2024-21733 | Medium 5.3 | CWE-209 | 0.00488 | 0.75806 |
|
| CVE-2024-52317 | Medium 6.5 | CWE-326 | 0.00043 | 0.10859 |
|
tomcat-coyote Vulnerability Remediation Guidance
| CVE | Description | Full list of Impacted Versions | Fix |
|---|---|---|---|
| CVE-2024-52317 | Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue. | 11.0.0-M26, 9.0.94, 10.1.28, 11.0.0-M24, 9.0.93, 10.1.30, 9.0.95, 11.0.0-M25 (Show all) | Major → 11.0.0 |
| CVE-2024-34750 | Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue. | 9.0.0.M1, 9.0.0.M10, 9.0.0.M11, 9.0.0.M9, 9.0.0.M8, 9.0.0.M15, 9.0.0.M17, 9.0.0.M18 (Show all) | Patch → 9.0.90 |
| CVE-2024-24549 | Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. | 8.5.76, 8.5.96, 8.5.81, 8.5.87, 8.5.98, 8.5.97, 8.5.95, 8.5.94 (Show all) | Patch → 9.0.90 |
| CVE-2024-21733 | Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. | 9.0.0.M11, 9.0.0.M15, 9.0.0.M17, 9.0.0.M18, 9.0.0.M13, 9.0.37, 9.0.24, 9.0.11 (Show all) | Patch → 9.0.90 |
| CVE-2023-44487 | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. | 8.5.76, 8.5.81, 8.5.87, 8.5.78, 8.5.71, 8.5.4, 8.5.15, 8.5.58 (Show all) | Patch → 9.0.90 |
| CVE-2023-34981 | A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak. | 8.5.88 | Patch → 9.0.90 |
| CVE-2023-28709 | The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur. | 8.5.87, 8.5.85, 8.5.86 | Patch → 9.0.90 |
| CVE-2023-24998 | Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured. | 8.5.87, 8.5.85, 8.5.86, 9.0.0.M1, 9.0.0.M10, 9.0.0.M11, 9.0.0.M9, 9.0.0.M8 (Show all) | Patch → 9.0.90 |
| CVE-2022-42252 | If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. | 8.5.76, 8.5.81, 8.5.78, 8.5.71, 8.5.4, 8.5.15, 8.5.58, 8.5.49 (Show all) | Patch → 9.0.90 |
| CVE-2020-1938 | When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2020-1935 | In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. | 8.5.49, 8.5.50, 7.0.99, 9.0.30, 9.0.29 | Patch → 9.0.90 |
| CVE-2020-17527 | While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. | 8.5.4, 8.5.15, 8.5.58, 8.5.49, 8.5.27, 8.5.21, 8.5.0, 8.5.50 (Show all) | Patch → 9.0.90 |
| CVE-2020-13943 | If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. | 8.5.4, 8.5.15, 8.5.49, 8.5.27, 8.5.21, 8.5.0, 8.5.50, 8.5.42 (Show all) | Patch → 9.0.90 |
| CVE-2020-11996 | A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive. | 8.5.4, 8.5.15, 8.5.49, 8.5.27, 8.5.21, 8.5.0, 8.5.50, 8.5.42 (Show all) | Patch → 9.0.90 |
| CVE-2019-17569 | The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. | 8.5.49, 8.5.50, 7.0.99, 9.0.30, 9.0.29 | Patch → 9.0.90 |
| CVE-2019-10072 | The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. | 8.5.4, 8.5.15, 8.5.27, 8.5.21, 8.5.0, 8.5.34, 8.5.9, 8.5.37 (Show all) | Patch → 9.0.90 |
| CVE-2019-0199 | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. | 8.5.4, 8.5.15, 8.5.27, 8.5.21, 8.5.0, 8.5.34, 8.5.9, 8.5.37 (Show all) | Patch → 9.0.90 |
| CVE-2017-6056 | It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2017-5651 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. | 8.5.4, 8.5.0, 8.5.9, 8.5.12, 8.5.11, 8.5.3, 8.5.8, 8.5.6 (Show all) | Patch → 9.0.90 |
| CVE-2017-5650 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. | 8.5.4, 8.5.0, 8.5.9, 8.5.12, 8.5.11, 8.5.3, 8.5.8, 8.5.6 (Show all) | Patch → 9.0.90 |
| CVE-2017-5647 | A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2016-8747 | An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request. | 8.5.9, 8.5.8, 9.0.0.M11, 9.0.0.M15, 9.0.0.M13 | Patch → 9.0.90 |
| CVE-2016-8745 | A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. | 8.0.30, 8.0.21, 8.0.0-RC10, 8.0.38, 8.0.36, 8.0.32, 8.0.28, 8.0.23 (Show all) | Patch → 9.0.90 |
| CVE-2016-6817 | The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible. | 8.5.4, 8.5.0, 8.5.3, 8.5.6, 8.5.2, 8.5.5, 9.0.0.M1, 9.0.0.M10 (Show all) | Patch → 9.0.90 |
| CVE-2016-6816 | The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2014-0099 | Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2014-0095 | java/org/apache/coyote/ajp/AbstractAjpProcessor.java in Apache Tomcat 8.x before 8.0.4 allows remote attackers to cause a denial of service (thread consumption) by using a "Content-Length: 0" AJP request to trigger a hang in request processing. | 8.0.0-RC10, 8.0.3, 8.0.0-RC5, 8.0.0-RC3, 8.0.0-RC1, 8.0.1 | Patch → 9.0.90 |
| CVE-2014-0075 | Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2014-0050 | MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2013-4444 | Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2013-4322 | Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2013-4286 | Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2013-2185 | The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2012-4534 | org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.22, 7.0.2, 7.0.16 (Show all) | Patch → 9.0.90 |
| CVE-2012-3544 | Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.28, 7.0.22, 7.0.2 (Show all) | Patch → 9.0.90 |
| CVE-2012-2733 | java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.25, 7.0.22, 7.0.2, 7.0.16 (Show all) | Patch → 9.0.90 |
| CVE-2011-3375 | Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.2, 7.0.16, 7.0.12, 7.0.6 (Show all) | Patch → 9.0.90 |
| CVE-2011-3190 | Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. | 7.0.19, 7.0.5, 7.0.0, 7.0.8, 7.0.2, 7.0.16, 7.0.12, 7.0.6 (Show all) | Patch → 9.0.90 |
| CVE-2011-2526 | Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. | 7.0.5, 7.0.0, 7.0.8, 7.0.2, 7.0.16, 7.0.12, 7.0.6, 7.0.4 (Show all) | Patch → 9.0.90 |
| CVE-2011-1475 | The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users." | 7.0.5, 7.0.0, 7.0.8, 7.0.2, 7.0.6, 7.0.4, 7.0.11 | Patch → 9.0.90 |
| CVE-2011-0534 | Apache Tomcat 7.0.0 through 7.0.6 and 6.0.0 through 6.0.30 does not enforce the maxHttpHeaderSize limit for requests involving the NIO HTTP connector, which allows remote attackers to cause a denial of service (OutOfMemoryError) via a crafted request. | 7.0.5, 7.0.0, 7.0.2, 7.0.6, 7.0.4 | Patch → 9.0.90 |
| CVE-2010-2227 | Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer." | 7.0.0 | Patch → 9.0.90 |
Instantly see if these tomcat-coyote vulnerabilities affect your code.
Dependencies
Packages using versions of tomcat-coyote affected by its vulnerabilities
| Dependent Packages |
|---|
| org.apache.tomcat:tomcat-servlet-api:11.0.1 |
| org.apache.tomcat:tomcat-jni:11.0.1 |
| org.apache.tomcat:tomcat-juli:11.0.1 |
| org.apache.tomcat:tomcat-util:11.0.1 |