CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2024-23672 – Apache Tomcat: WebSocket DoS with incomplete closing handshake
https://notcve.org/view.php?id=CVE-2024-23672
13 Mar 2024 — Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. Denegación de servicio mediante vulnerabilidad de limpieza inco... • http://www.openwall.com/lists/oss-security/2024/03/13/4 • CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 81%CPEs: 4EXPL: 2CVE-2024-24549 – Apache Tomcat: HTTP/2 header handling DoS
https://notcve.org/view.php?id=CVE-2024-24549
13 Mar 2024 — Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 1... • https://github.com/Abdurahmon3236/CVE-2024-24549 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 69%CPEs: 19EXPL: 2CVE-2024-21733 – Apache Tomcat: Leaking of unrelated request bodies in default error page
https://notcve.org/view.php?id=CVE-2024-21733
19 Jan 2024 — Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. Vulnerabilidad de generación de mensaje de error que contiene información confidencial en Apache Tomcat. Este problema afecta a Apache Tomcat: desde 8.5.7 hasta 8.5.63, desde 9.0.0-M11 hasta 9.0.43. Se recomienda a ... • https://packetstorm.news/files/id/176951 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.8EPSS: 15%CPEs: 13EXPL: 0CVE-2023-46589 – Apache Tomcat: HTTP request smuggling via malformed trailer headers
https://notcve.org/view.php?id=CVE-2023-46589
28 Nov 2023 — Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards,... • https://lists.apache.org/thread/0rqq6ktozqc42ro8hhxdmmdjm1k1tpxr • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVSS: 5.3EPSS: 4%CPEs: 64EXPL: 0CVE-2023-45648 – Apache Tomcat: Trailer header parsing too lenient
https://notcve.org/view.php?id=CVE-2023-45648
10 Oct 2023 — Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 o... • http://www.openwall.com/lists/oss-security/2023/10/10/10 • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 3%CPEs: 64EXPL: 0CVE-2023-42795 – Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests
https://notcve.org/view.php?id=CVE-2023-42795
10 Oct 2023 — Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes t... • http://www.openwall.com/lists/oss-security/2023/10/10/9 • CWE-459: Incomplete Cleanup •
CVSS: 5.9EPSS: 2%CPEs: 2EXPL: 0CVE-2023-42794 – Apache Tomcat: FileUpload: DoS due to accumulation of temporary files on Windows
https://notcve.org/view.php?id=CVE-2023-42794
10 Oct 2023 — Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to ... • http://www.openwall.com/lists/oss-security/2023/10/10/8 • CWE-459: Incomplete Cleanup •
CVSS: 7.8EPSS: 94%CPEs: 444EXPL: 17CVE-2023-44487 – HTTP/2 Rapid Reset Attack Vulnerability
https://notcve.org/view.php?id=CVE-2023-44487
10 Oct 2023 — The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. El protocolo HTTP/2 permite una denegación de servicio (consumo de recursos del servidor) porque la cancelación de solicitudes puede restablecer muchas transmisiones rápidamente, como se explotó en la naturaleza entre agosto y octubre de 2023. A flaw was found in handling multiplexed streams in the HTTP/2 protocol. ... • https://github.com/imabee101/CVE-2023-44487 • CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41081 – Apache Tomcat Connectors: Unexpected use of first declared worker in mod_jk for unmapped request
https://notcve.org/view.php?id=CVE-2023-41081
13 Sep 2023 — Important: Authentication Bypass CVE-2023-41081 The mod_jk component of Apache Tomcat Connectors in some circumstances, such as when a configuration included "JkOptions +ForwardDirectories" but the configuration did not provide explicit mounts for all possible proxied requests, mod_jk would use an implicit mapping and map the request to the first defined worker. Such an implicit mapping could result in the unintended exposure of the status worker and/or bypass security constraints configured in httpd. As of... • http://www.openwall.com/lists/oss-security/2023/09/28/7 • CWE-202: Exposure of Sensitive Information Through Data Queries •
CVSS: 6.4EPSS: 70%CPEs: 15EXPL: 1CVE-2023-41080 – Apache Tomcat: Open redirect with FORM authentication
https://notcve.org/view.php?id=CVE-2023-41080
25 Aug 2023 — URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from 8.5.0 through 8.5.92. The vulnerability is limited to the ROOT (default) web application. Vulnerabilidad de redirección de URL a sitio no fiable ('Open Redirect') en la función de autenticación FORM de Apache Tomcat. Este problema afecta a Apache Tomcat: de 11.0... • https://github.com/shiomiyan/CVE-2023-41080 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •