2 February 2021 Fixed in Apache Tomcat 9.0.43
Note: The issues below were fixed in Apache Tomcat 9.0.42 but the
release vote for the 9.0.42 release candidate did not pass. Therefore,
although users must download 9.0.43 to obtain a version that includes a
fix for these issues, version 9.0.42 is not included in the list of
affected versions.
Low: Fix for CVE-2020-9484 was incomplete
CVE-2021-25329
The fix for CVE-2020-9484 was incomplete. When using a
highly unlikely configuration edge case, the Tomcat instance was still
vulnerable to CVE-2020-9484. Note that both the previously
published prerequisites for CVE-2020-9484 and the previously
published non-upgrade mitigations for CVE-2020-9484 also apply to
this issue.
This was fixed with commit
4785433a.
This issue was reported to the Apache Tomcat Security team by Trung Pham
of Viettel Cyber Security on 12 January 2021. The issue was made public
on 1 March 2021.
Affects: 9.0.0.M1 to 9.0.41
Important: Request mix-up with h2c
CVE-2021-25122
When responding to new h2c connection requests, Apache Tomcat could
duplicate request headers and a limited amount of request body from one
request to another meaning user A and user B could both see the results of
user A's request.
This was fixed with commit
d47c20a7.
This issue was identified by the Apache Tomcat Security team on 11
January 2021. The issue was made public on 1 March 2021.
Affects: 9.0.0.M1 to 9.0.41
11 May 2020 Fixed in Apache Tomcat 9.0.35
Important: Remote Code Execution via session persistence
CVE-2020-9484
If:
- an attacker is able to control the contents and name of a file on the
server; and
- the server is configured to use the
PersistenceManager
with a FileStore
; and
- the
PersistenceManager
is configured with
sessionAttributeValueClassNameFilter="null"
(the default
unless a SecurityManager
is used) or a sufficiently lax
filter to allow the attacker provided object to be deserialized;
and
- the attacker knows the relative file path from the storage location
used by
FileStore
to the file the attacker has control
over;
then, using a specifically crafted request, the attacker will be able to
trigger remote code execution via deserialization of the file under their
control.
Note: All of conditions above must be true for the
attack to succeed.
As an alternative to upgrading to 9.0.35 or later, users may configure
the PersistenceManager
with an appropriate value for
sessionAttributeValueClassNameFilter
to ensure that only
application provided attributes are serialized and deserialized.
This was fixed with commit
3aa8f28d.
This issue was reported to the Apache Tomcat Security Team by by jarvis
threedr3am of pdd security research on 12 April 2020. The issue was made
public on 20 May 2020.
Affects: 9.0.0.M1 to 9.0.34
not released Fixed in Apache Tomcat 9.0.9
Low: CORS filter has insecure defaults
CVE-2018-8014
The defaults settings for the CORS filter are insecure and enable
supportsCredentials
for all origins. It is expected that
users of the CORS filter will have configured it appropriately for their
environment rather than using it in the default configuration. Therefore,
it is expected that most users will not be impacted by this issue.
This was fixed in revision 1831726.
This issue was reported publicly on 1 May 2018 and formally announced as
a vulnerability on 16 May 2018.
13 June 2016 Fixed in Apache Tomcat 8.5.3 and 8.0.36
Moderate: Denial of Service
CVE-2016-3092
Apache Tomcat uses a package renamed copy of Apache Commons FileUpload to
implement the file upload requirements of the Servlet specification. A
denial of service vulnerability was identified in Commons FileUpload that
occurred when the length of the multipart boundary was just below the
size of the buffer (4096 bytes) used to read the uploaded file. This
caused the file upload process to take several orders of magnitude
longer than if the boundary was the typical tens of bytes long.
This was fixed in revision 1743722 for
8.5.x and revision 1743738 for
8.0.x.
This issue was identified by the TERASOLUNA Framework Development Team
and reported to the Apache Commons team via JPCERT on 9 May 2016. It was
made public on 21 June 2016.
Affects: 8.5.0 to 8.5.2, 8.0.0.RC1 to 8.0.35
released 4 Sep 2009 Fixed in Apache Tomcat 5.5.28
Important: Information Disclosure
CVE-2008-5515
When using a RequestDispatcher obtained from the Request, the target path
was normalised before the query string was removed. A request that
included a specially crafted request parameter could be used to access
content that would otherwise be protected by a security constraint or by
locating it in under the WEB-INF directory.
This was fixed in revisions 782757 and
783291.
This was first reported to the Tomcat security team on 11 Dec 2008 and
made public on 8 Jun 2009.
Affects: 5.5.0-5.5.27
Important: Denial of Service
CVE-2009-0033
If Tomcat receives a request with invalid headers via the Java AJP
connector, it does not return an error and instead closes the AJP
connection. In case this connector is member of a mod_jk load balancing
worker, this member will be put into an error state and will be blocked
from use for approximately one minute. Thus the behaviour can be used for
a denial of service attack using a carefully crafted request.
This was fixed in revision 781362.
This was first reported to the Tomcat security team on 26 Jan 2009 and
made public on 3 Jun 2009.
Affects: 5.5.0-5.5.27
Low: Information disclosure
CVE-2009-0580
Due to insufficient error checking in some authentication classes, Tomcat
allows for the enumeration (brute force testing) of user names by
supplying illegally URL encoded passwords. The attack is possible if FORM
based authentication (j_security_check) is used with the MemoryRealm.
Note that in early versions, the DataSourceRealm and JDBCRealm were also
affected.
This was fixed in revision 781379.
This was first reported to the Tomcat security team on 25 Feb 2009 and
made public on 3 Jun 2009.
Affects: 5.5.0-5.5.27 (Memory Realm), 5.5.0-5.5.5 (DataSource and JDBC
Realms)
Low: Cross-site scripting
CVE-2009-0781
The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective.
This was fixed in revision 750928.
This was first reported to the Tomcat security team on 5 Mar 2009 and
made public on 6 Mar 2009.
Affects: 5.5.0-5.5.27
Low: Information disclosure
CVE-2009-0783
Bugs 29936 and 45933 allowed a web application
to replace the XML parser used by
Tomcat to process web.xml, context.xml and tld files. In limited
circumstances these bugs may allow a rogue web application to view and/or
alter the web.xml, context.xml and tld files of other web applications
deployed on the Tomcat instance.
This was fixed in revisions 681156 and
781542.
This was first reported to the Tomcat security team on 2 Mar 2009 and
made public on 4 Jun 2009.
Affects: 5.5.0-5.5.27
Will not be fixed in Apache Tomcat 4.1.x
Moderate: Information disclosure
CVE-2005-4836
The deprecated HTTP/1.1 connector does not reject request URIs containing
null bytes when used with contexts that are configured with
allowLinking="true". Failure to reject the null byte enables an attacker
to obtain the source for any JSP page in these contexts. Users of Tomcat
4.1.x are advised to use the default, supported Coyote HTTP/1.1 connector
which does not exhibit this issue. There are no plans to issue an update
to Tomcat 4.1.x for this issue.
Affects: 4.1.15-4.1.SVN
Fixed in Apache Tomcat 4.1.35
Low: Information disclosure
CVE-2008-4308
Bug
40771 may result in the disclosure of POSTed content from a previous
request. For a vulnerability to exist, the content read from the input
stream must be disclosed, eg via writing it to the response and committing
the response, before the ArrayIndexOutOfBoundsException occurs which will
halt processing of the request.
Affects: 4.1.32-4.1.34 (4.0.x unknown)
Fixed in Apache Tomcat 4.1.3
Important: Denial of service
CVE-2002-0935
A malformed HTTP request can cause the request processing thread to
become unresponsive. A sequence of such requests will cause all request
processing threads, and hence Tomcat as a whole, to become unresponsive.
Affects: 4.0.0-4.0.2?, 4.0.3, 4.0.4-4.0.6?, 4.1.0-4.1.2?
Fixed in Apache Tomcat 3.3a
Moderate: Information disclosure
CVE-2002-2007
Non-standard requests to the sample applications installed by default
could result in unexpected directory listings or disclosure of the full
file system path for a JSP.
Affects: 3.2.3-3.2.4
Low: Information disclosure
CVE-2002-2006,
CVE-2000-0760
The snoop servlet installed as part of the examples includes output that
identifies the Tomcat installation path. There are no plans to issue a an
update to Tomcat 3.x for this issue.
Affects:3.1-3.1.1, 3.2-3.2.4