Greg K

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 11.0.0-M1 through 11.0.7 Apache Tomcat versions 10.1.0-M1 through 10.1.41 Apache Tomcat versions 9.0.0.M1 through 9.0.105 Description: A session fixation issue exists in Apache Tomcat due to a flaw in the rewrite valve. Recommendations: Upgrade to Apache Tomcat version 11.0.8. Upgrade to Apache Tomcat version 10.1.42. Upgrade to Apache Tomcat version 9.0.106.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.6 Apache Tomcat versions 10.1.0-M1 through 10.1.40 Apache Tomcat versions 9.0.0.M1 through 9.0.104 **Description** The issue is related to improper handling of case sensitivity in Apache Tomcat's GCI servlet, allowing security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. **Recommendations** For Apache Tomcat versions 11.0.0-M1 through 11.0.6, upgrade to version 11.0.7. For Apache Tomcat versions 10.1.0-M1 through 10.1.40, upgrade to version 10.1.41. For Apache Tomcat versions 9.0.0.M1 through 9.0.104, upgrade to version 9.0.105.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.7 Apache Tomcat versions 10.1.0-M1 through 10.1.41 Apache Tomcat versions 9.0.0.M1 through 9.0.105 **Description** The issue is related to an Authentication Bypass Using an Alternate Path or Channel vulnerability. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. This path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. **Recommendations** For Apache Tomcat versions 11.0.0-M1 through 11.0.7, upgrade to version 11.0.8. For Apache Tomcat versions 10.1.0-M1 through 10.1.41, upgrade to version 10.1.42. For Apache Tomcat versions 9.0.0.M1 through 9.0.105, upgrade to version 9.0.106.