CVE-2023-41080
- EPSS 5.97%
- Veröffentlicht 25.08.2023 21:15:09
- Zuletzt bearbeitet 07.08.2025 11:15:27
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature Apache Tomcat.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.0.12, from 9.0.0-M1 through 9.0.79 and from ...
CVE-2023-34981
- EPSS 1.12%
- Veröffentlicht 21.06.2023 11:15:09
- Zuletzt bearbeitet 21.11.2024 08:07:46
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJ...
CVE-2023-28709
- EPSS 51.55%
- Veröffentlicht 22.05.2023 11:15:09
- Zuletzt bearbeitet 13.02.2025 17:16:16
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using...
CVE-2023-28708
- EPSS 1.83%
- Veröffentlicht 22.03.2023 11:15:10
- Zuletzt bearbeitet 04.11.2025 20:16:26
When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71...
CVE-2022-45143
- EPSS 2.51%
- Veröffentlicht 03.01.2023 19:15:10
- Zuletzt bearbeitet 21.11.2024 07:28:50
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for u...
CVE-2022-42252
- EPSS 1.45%
- Veröffentlicht 01.11.2022 09:15:10
- Zuletzt bearbeitet 06.05.2025 16:15:26
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request con...
CVE-2021-43980
- EPSS 1.91%
- Veröffentlicht 28.09.2022 14:15:09
- Zuletzt bearbeitet 21.05.2025 15:15:55
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10...
CVE-2022-34305
- EPSS 6.16%
- Veröffentlicht 23.06.2022 11:15:07
- Zuletzt bearbeitet 21.11.2024 07:09:15
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.
CVE-2022-25762
- EPSS 8.03%
- Veröffentlicht 13.05.2022 08:15:06
- Zuletzt bearbeitet 21.11.2024 06:52:57
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket a...
CVE-2022-29885
- EPSS 73.14%
- Veröffentlicht 12.05.2022 08:15:07
- Zuletzt bearbeitet 21.11.2024 06:59:54
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct....