PT-2026-40073 · Apache · Apache Tomcat
Published
2026-05-12
·
Updated
2026-06-01
·
CVE-2026-43514
CVSS v3.1
3.7
Low
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 11.0.0-M1 through 11.0.21
Apache Tomcat versions 10.1.0-M1 through 10.1.54
Apache Tomcat versions 9.0.0.M1 through 9.0.117
Apache Tomcat versions 8.5.0 through 8.5.100
Apache Tomcat versions 7.0.0 through 7.0.109
Apache Tomcat versions prior to 7.0.0
Description
An observable timing discrepancy occurs when comparing the AJP secret. A timing discrepancy is a side-channel attack where an attacker can infer secret information by measuring the time a system takes to process different inputs.
Recommendations
Upgrade versions 11.0.0-M1 through 11.0.21 to 11.0.22.
Upgrade versions 10.1.0-M1 through 10.1.54 to 10.1.55.
Upgrade versions 9.0.0.M1 through 9.0.117 to 9.0.118.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Apache Tomcat