Mark Thomas

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 11.0.16 through 11.0.18 Apache Tomcat versions 10.1.51 through 10.1.52 Apache Tomcat versions 9.0.114 through 9.0.115 Description An issue exists in Apache Tomcat where the configured cipher preference order is not preserved. Upgrade to version 11.0.20, 10.1.53, or 9.0.116 to resolve this issue. Recommendations Upgrade to Apache Tomcat version 11.0.20 Upgrade to Apache Tomcat version 10.1.53 Upgrade to Apache Tomcat version 9.0.116

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.14 Apache Tomcat versions 10.1.0-M1 through 10.1.49 Apache Tomcat versions 9.0.0-M1 through 9.0.112 Older, End-of-Life (EOL) versions are also affected **Description** Apache Tomcat does not properly limit HTTP/0.9 requests to the GET method. This allows an attacker to bypass security constraints. Specifically, if a security constraint is configured to allow HEAD requests to a Uniform Resource Identifier (URI) but denies GET requests to the same URI, a user can circumvent this restriction on GET requests by sending a specification-invalid HEAD request using HTTP/0.9. This is achieved by sending a crafted HTTP/0.9-style request that bypasses the intended enforcement of security constraints. The issue occurs when a Tomcat security constraint allows HEAD requests while denying GET requests to the same URI. **Recommendations** Upgrade to Apache Tomcat version 11.0.15 or later. Upgrade to Apache Tomcat version 10.1.50 or later. Upgrade to Apache Tomcat version 9.0.113 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.5 Apache Tomcat versions 10.1.0-M1 through 10.1.39 Apache Tomcat versions 9.0.0.M1 through 9.0.102 **Description** The issue is related to the improper neutralization of escape, meta, or control sequences in Apache Tomcat, which could allow a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. **Recommendations** Upgrade to version [FIXED VERSION] to fix the issue for Apache Tomcat versions 11.0.0-M1 through 11.0.5 Upgrade to version [FIXED VERSION] to fix the issue for Apache Tomcat versions 10.1.0-M1 through 10.1.39 Upgrade to version [FIXED VERSION] to fix the issue for Apache Tomcat versions 9.0.0.M1 through 9.0.102

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 8.5.90 through 8.5.100 Apache Tomcat versions 9.0.76 through 9.0.102 Apache Tomcat versions 10.1.10 through 10.1.39 Apache Tomcat versions 11.0.0-M2 through 11.0.5 **Description** Improper input validation in Apache Tomcat occurs due to incorrect error handling of invalid HTTP priority headers. This failure leads to an incomplete clean-up of failed requests, resulting in a memory leak. A remote attacker can exploit this by sending a large volume of specially crafted HTTP requests to trigger an `OutOfMemoryException`, causing a denial of service. **Recommendations** Upgrade to version 9.0.104 for affected 9.0.x versions. Upgrade to version 10.1.40 for affected 10.1.x versions. Upgrade to version 11.0.6 for affected 11.0.x versions. As a temporary workaround, restrict or filter invalid HTTP priority headers to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 9.0.96 through 11.0.0 Apache Tomcat version 10.1.31 **Description** The issue is related to incorrect object recycling and reuse in Apache Tomcat, which can lead to a cross-site scripting (XSS) attack. This occurs because pooled JSP tags are not released after use, causing some tags' output not to be escaped as expected, resulting in unescaped output that could lead to XSS. **Recommendations** For Apache Tomcat version 9.0.96, upgrade to version 9.0.97 or later. For Apache Tomcat version 10.1.31, upgrade to version 10.1.33 or later. For Apache Tomcat version 11.0.0, upgrade to version 11.0.1 or later.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat Connectors versions 1.2.9-beta through 1.2.49 **Description** The issue allows local users to view and modify shared memory containing mod jk configuration, which may lead to information disclosure and/or denial of service. This issue affects Apache Tomcat Connectors on Unix-like systems, but neither the ISAPI redirector nor mod jk on Windows is affected. **Recommendations** For versions 1.2.9-beta through 1.2.49, upgrade to version 1.2.50, which fixes the issue. As a temporary workaround, consider restricting access to the shared memory containing mod jk configuration to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.0-M16 Apache Tomcat versions 10.1.0-M1 through 10.1.18 Apache Tomcat versions 9.0.0-M1 through 9.0.85 Apache Tomcat versions 8.5.0 through 8.5.98 **Description** The issue is related to a Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open, leading to increased resource consumption. **Recommendations** Upgrade to version 11.0.0-M17 to fix the issue for versions 11.0.0-M1 through 11.0.0-M16. Upgrade to version 10.1.19 to fix the issue for versions 10.1.0-M1 through 10.1.18. Upgrade to version 9.0.86 to fix the issue for versions 9.0.0-M1 through 9.0.85. Upgrade to version 8.5.99 to fix the issue for versions 8.5.0 through 8.5.98.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.0-M26 Apache Tomcat versions 10.1.0-M1 through 10.1.30 Apache Tomcat versions 9.0.0-M1 through 9.0.95 **Description** The issue is related to an Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication ServerAuthContext component that may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This vulnerability could potentially allow a remote attacker to bypass the authentication process and cause a denial of service. **Recommendations** To resolve the issue, upgrade to version 11.0.0, 10.1.31, or 9.0.96, which fix the issue. For versions 11.0.0-M1 through 11.0.0-M26, upgrade to version 11.0.0. For versions 10.1.0-M1 through 10.1.30, upgrade to version 10.1.31. For versions 9.0.0-M1 through 9.0.95, upgrade to version 9.0.96.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M23 through 11.0.0-M26 Apache Tomcat versions 10.1.27 through 10.1.30 Apache Tomcat versions 9.0.92 through 9.0.95 **Description** The issue is related to incorrect object re-cycling and re-use in Apache Tomcat, specifically affecting the recycling of requests and responses used by HTTP/2 requests. This could lead to a mix-up of requests and/or responses between users, potentially causing sensitive data leaks. **Recommendations** For Apache Tomcat versions 11.0.0-M23 through 11.0.0-M26, upgrade to version 11.0.0 to fix the issue. For Apache Tomcat versions 10.1.27 through 10.1.30, upgrade to version 10.1.31 to fix the issue. For Apache Tomcat versions 9.0.92 through 9.0.95, upgrade to version 9.0.96 to fix the issue.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.0-M11 Apache Tomcat versions 10.1.0-M1 through 10.1.13 Apache Tomcat versions 9.0.0-M1 through 9.0.80 Apache Tomcat versions 8.5.0 through 8.5.93 **Description** The issue is related to an Incomplete Cleanup vulnerability in Apache Tomcat. When recycling various internal objects, an error could cause Tomcat to skip some parts of the recycling process, leading to information leaking from the current request/response to the next. **Recommendations** Upgrade to version 11.0.0-M12 onwards Upgrade to version 10.1.14 onwards Upgrade to version 9.0.81 onwards Upgrade to version 8.5.94 onwards

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 11.0.0-M1 through 11.0.0-M2 Apache Tomcat versions 10.1.0-M1 through 10.1.5 Apache Tomcat versions 9.0.0-M1 through 9.0.71 Apache Tomcat versions 8.5.0 through 8.5.85 **Description** When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. **Recommendations** For Apache Tomcat versions 11.0.0-M1 through 11.0.0-M2, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.1.0-M1 through 10.1.5, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.0-M1 through 9.0.71, update to a version that includes the fix for this issue. For Apache Tomcat versions 8.5.0 through 8.5.85, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the RemoteIpFilter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Apache Tomcat versions 8.5.50 through 8.5.81 Apache Tomcat versions 9.0.30 through 9.0.64 Apache Tomcat versions 10.0.0-M1 through 10.0.22 Apache Tomcat versions 10.1.0-M1 through 10.1.0-M16 **Description** The Form authentication example in the examples web application displayed user-provided data without filtering, exposing a cross-site scripting (XSS) issue. This could allow a remote attacker to conduct an XSS attack. **Recommendations** For Apache Tomcat versions 8.5.50 through 8.5.81, update to a version that includes the fix for this issue. For Apache Tomcat versions 9.0.30 through 9.0.64, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.0.0-M1 through 10.0.22, update to a version that includes the fix for this issue. For Apache Tomcat versions 10.1.0-M1 through 10.1.0-M16, update to a version that includes the fix for this issue. As a temporary workaround, consider disabling the Form authentication example in the examples web application until a patch is available.