nexB note: This file contains excerpts from https://tomcat.apache.org/security-9.html and other related Tomcat pages.

2 February 2021 Fixed in Apache Tomcat 9.0.43

Note: The issues below were fixed in Apache Tomcat 9.0.42 but the release vote for the 9.0.42 release candidate did not pass. Therefore, although users must download 9.0.43 to obtain a version that includes a fix for these issues, version 9.0.42 is not included in the list of affected versions.

Low: Fix for CVE-2020-9484 was incomplete CVE-2021-25329

The fix for CVE-2020-9484 was incomplete. When using a highly unlikely configuration edge case, the Tomcat instance was still vulnerable to CVE-2020-9484. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published non-upgrade mitigations for CVE-2020-9484 also apply to this issue.

This was fixed with commit 4785433a.

This issue was reported to the Apache Tomcat Security team by Trung Pham of Viettel Cyber Security on 12 January 2021. The issue was made public on 1 March 2021.

Affects: 9.0.0.M1 to 9.0.41

Important: Request mix-up with h2c CVE-2021-25122

When responding to new h2c connection requests, Apache Tomcat could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

This was fixed with commit d47c20a7.

This issue was identified by the Apache Tomcat Security team on 11 January 2021. The issue was made public on 1 March 2021.

Affects: 9.0.0.M1 to 9.0.41

11 May 2020 Fixed in Apache Tomcat 9.0.35

Important: Remote Code Execution via session persistence CVE-2020-9484

If:

then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.

Note: All of conditions above must be true for the attack to succeed.

As an alternative to upgrading to 9.0.35 or later, users may configure the PersistenceManager with an appropriate value for sessionAttributeValueClassNameFilter to ensure that only application provided attributes are serialized and deserialized.

This was fixed with commit 3aa8f28d.

This issue was reported to the Apache Tomcat Security Team by by jarvis threedr3am of pdd security research on 12 April 2020. The issue was made public on 20 May 2020.

Affects: 9.0.0.M1 to 9.0.34

not released Fixed in Apache Tomcat 9.0.9

Low: CORS filter has insecure defaults CVE-2018-8014

The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

This was fixed in revision 1831726.

This issue was reported publicly on 1 May 2018 and formally announced as a vulnerability on 16 May 2018.

13 June 2016 Fixed in Apache Tomcat 8.5.3 and 8.0.36

Moderate: Denial of Service CVE-2016-3092

Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to implement the file upload requirements of the Servlet specification. A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file. This caused the file upload process to take several orders of magnitude longer than if the boundary was the typical tens of bytes long.

This was fixed in revision 1743722 for 8.5.x and revision 1743738 for 8.0.x.

This issue was identified by the TERASOLUNA Framework Development Team and reported to the Apache Commons team via JPCERT on 9 May 2016. It was made public on 21 June 2016.

Affects: 8.5.0 to 8.5.2, 8.0.0.RC1 to 8.0.35

released 4 Sep 2009 Fixed in Apache Tomcat 5.5.28

Important: Information Disclosure CVE-2008-5515

When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.

This was fixed in revisions 782757 and 783291.

This was first reported to the Tomcat security team on 11 Dec 2008 and made public on 8 Jun 2009.

Affects: 5.5.0-5.5.27

Important: Denial of Service CVE-2009-0033

If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behaviour can be used for a denial of service attack using a carefully crafted request.

This was fixed in revision 781362.

This was first reported to the Tomcat security team on 26 Jan 2009 and made public on 3 Jun 2009.

Affects: 5.5.0-5.5.27

Low: Information disclosure CVE-2009-0580

Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded passwords. The attack is possible if FORM based authentication (j_security_check) is used with the MemoryRealm. Note that in early versions, the DataSourceRealm and JDBCRealm were also affected.

This was fixed in revision 781379.

This was first reported to the Tomcat security team on 25 Feb 2009 and made public on 3 Jun 2009.

Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC Realms)

Low: Cross-site scripting CVE-2009-0781

The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective.

This was fixed in revision 750928.

This was first reported to the Tomcat security team on 5 Mar 2009 and made public on 6 Mar 2009.

Affects: 5.5.0-5.5.27

Low: Information disclosure CVE-2009-0783

Bugs 29936 and 45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files. In limited circumstances these bugs may allow a rogue web application to view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance.

This was fixed in revisions 681156 and 781542.

This was first reported to the Tomcat security team on 2 Mar 2009 and made public on 4 Jun 2009.

Affects: 5.5.0-5.5.27

Will not be fixed in Apache Tomcat 4.1.x

Moderate: Information disclosure CVE-2005-4836

The deprecated HTTP/1.1 connector does not reject request URIs containing null bytes when used with contexts that are configured with allowLinking="true". Failure to reject the null byte enables an attacker to obtain the source for any JSP page in these contexts. Users of Tomcat 4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector which does not exhibit this issue. There are no plans to issue an update to Tomcat 4.1.x for this issue.

Affects: 4.1.15-4.1.SVN

Fixed in Apache Tomcat 4.1.35

Low: Information disclosure CVE-2008-4308

Bug 40771 may result in the disclosure of POSTed content from a previous request. For a vulnerability to exist, the content read from the input stream must be disclosed, eg via writing it to the response and committing the response, before the ArrayIndexOutOfBoundsException occurs which will halt processing of the request.

Affects: 4.1.32-4.1.34 (4.0.x unknown)

Fixed in Apache Tomcat 4.1.3

Important: Denial of service CVE-2002-0935

A malformed HTTP request can cause the request processing thread to become unresponsive. A sequence of such requests will cause all request processing threads, and hence Tomcat as a whole, to become unresponsive.

Affects: 4.0.0-4.0.2?, 4.0.3, 4.0.4-4.0.6?, 4.1.0-4.1.2?

Fixed in Apache Tomcat 3.3a

Moderate: Information disclosure CVE-2002-2007

Non-standard requests to the sample applications installed by default could result in unexpected directory listings or disclosure of the full file system path for a JSP.

Affects: 3.2.3-3.2.4

Low: Information disclosure CVE-2002-2006, CVE-2000-0760

The snoop servlet installed as part of the examples includes output that identifies the Tomcat installation path. There are no plans to issue a an update to Tomcat 3.x for this issue.

Affects:3.1-3.1.1, 3.2-3.2.4