7.5
CVE-2026-29146
- EPSS 5.04%
- Veröffentlicht 09.04.2026 20:16:24
- Zuletzt bearbeitet 09.07.2026 13:16:55
- Quelle security@apache.org
- CVE-Watchlists
- Unerledigt
Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 5.04% | 0.913 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | 7.5 | 3.9 | 3.6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
|
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptographic implementation.
CWE-209 Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.
CWE-642 External Control of Critical State Data
The product stores security-critical state information about its users, or the product itself, in a location that is accessible to unauthorized actors.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
http://www.openwall.com/lists/oss-security/2026/04/09/24
https://bugzilla.redhat.com/show_bug.cgi?id=2457020
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-29146.json
https://access.redhat.com/errata/RHSA-2026:20405
https://access.redhat.com/errata/RHSA-2026:20406
https://access.redhat.com/errata/RHSA-2026:36787
https://access.redhat.com/errata/RHSA-2026:36788
https://access.redhat.com/errata/RHSA-2026:36789
https://access.redhat.com/errata/RHSA-2026:36790
https://access.redhat.com/errata/RHSA-2026:36876
https://access.redhat.com/errata/RHSA-2026:36877
https://access.redhat.com/errata/RHSA-2026:36878
https://access.redhat.com/errata/RHSA-2026:36879
https://access.redhat.com/errata/RHSA-2026:37136
https://access.redhat.com/errata/RHSA-2026:37137
https://access.redhat.com/security/cve/CVE-2026-29146