7.5

CVE-2026-29146

Medienbericht

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version >= 7.0.100 <= 7.0.109
ApacheTomcat Version >= 8.5.38 <= 8.5.100
ApacheTomcat Version >= 9.0.13 < 9.0.116
ApacheTomcat Version >= 10.0.0 < 10.1.53
ApacheTomcat Version >= 11.0.0 < 11.0.20
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.04% 0.913
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
134c704f-9b21-4f2e-91b3-4a467353bcc0 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 7.5 3.9 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation

To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.

CWE-209 Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

CWE-642 External Control of Critical State Data

The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
21.05.2026 10:09
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
11.05.2026 16:03
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
20.04.2026 16:46
https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
Vendor Advisory
Mailing List
http://www.openwall.com/lists/oss-security/2026/04/09/24
Third Party Advisory
Mailing List
https://bugzilla.redhat.com/show_bug.cgi?id=2457020
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29146.json
https://access.redhat.com/errata/RHSA-2026:20405
https://access.redhat.com/errata/RHSA-2026:20406
https://access.redhat.com/errata/RHSA-2026:36787
https://access.redhat.com/errata/RHSA-2026:36788
https://access.redhat.com/errata/RHSA-2026:36789
https://access.redhat.com/errata/RHSA-2026:36790
https://access.redhat.com/errata/RHSA-2026:36876
https://access.redhat.com/errata/RHSA-2026:36877
https://access.redhat.com/errata/RHSA-2026:36878
https://access.redhat.com/errata/RHSA-2026:36879
https://access.redhat.com/errata/RHSA-2026:37136
https://access.redhat.com/errata/RHSA-2026:37137
https://access.redhat.com/security/cve/CVE-2026-29146