Skip to main content
Hit enter to search or ESC to close
Close Search
Menu
Binary Subscriptions
TomEE for Oracle Insurance Policy Administration Suite
TomEE for OpenText Web Experience Management
TomEE for OpenText Process Suite Platform
TomEE for OpenText AppWorks Platform
TomEE for Dassault Systemes SIMULIA Isight
TomEE for Dassault Systemes 3DEXPERIENCE Platform
Tomcat for Dassault Systemes ENOVIA
Tomcat for Progress OpenEdge
Support Subscriptions
Apache TomEE Support
Apache ActiveMQ Support
Apache Tomcat Support
CVE Patching
Enterprise Support
Tomitribe Community Partnership Program
CVE Index
Resources
Blog
Case Studies & Reports
Tribe’s Videos
Company
About Tomitribe
Community
Contact Us
Login
Get A Quote
Apache Tomcat 10.1.x Support
Common Vulnerabilities & Exposures (CVE)
First release:
2022-09-23
Support Lifecycle:
Full Support
CVEs:
12
Namespace:
javax
Get Support
What Versions do we cover?
10.1.0
10.1.1
10.1.2
10.1.4
10.1.5
10.1.6
10.1.7
10.1.8
10.1.10
10.1.9
10.1.11
10.1.12
10.1.13
10.1.17
10.1.18
10.1.14
10.1.15
10.1.16
10.1.33
10.1.30
10.1.28
10.1.26
10.1.23
10.1.31
10.1.20
10.1.24
10.1.25
10.1.34
10.1.35
10.1.39
10.1.29
10.1.36
10.1.19
10.1.40
Latest Apache Tomcat 10.1.x CVEs
CVE
Severity
Description
Category
Affected
CVE-2024-24549
2024-01-25
0.0
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
data
operational
CWE-20
Details
CVE-2024-23672
2024-01-19
0.0
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
data
operational
CWE-459
Details
CVE-2023-46589
2023-10-23
7.5
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
data
operational
CWE-444
Details
CVE-2023-42795
2023-09-14
5.9
Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
data
operational
CWE-459
Details
CVE-2023-45648
2023-10-10
7.5
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
data
operational
CWE-20
Details
Most Critical Apache Tomcat 10.1.x CVEs
CVE
Severity
Description
Category
Affected
CVE-2022-42252
2022-10-03
7.5
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
data
operational
CWE-444
Details
CVE-2023-28709
2023-03-21
7.5
The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.
configuration
data
CWE-193
Details
CVE-2023-34981
2023-06-08
7.5
A regression in the fix for bug 66512 in Apache Tomcat 11.0.0-M5, 10.1.8, 9.0.74 and 8.5.88 meant that, if a response did not include any HTTP headers no AJP SEND_HEADERS messare woudl be sent for the response which in turn meant that at least one AJP proxy (mod_proxy_ajp) would use the response headers from the previous request leading to an information leak.
Details
CVE-2023-45648
2023-10-10
7.5
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.
data
operational
CWE-20
Details
CVE-2023-46589
2023-10-23
7.5
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
data
operational
CWE-444
Details
What We Deliver
Migration support
Production & Development support
1 hr response-time
Unlimited support incidents
5 languages supported
Fast bug fixes & security patch turnaround
Enterprise Support Details
Subscription Level
Bronze
Silver
Gold
Core Count
64 cores
120 cores
248 cores
Apache Tomcat
✓
✓
✓
Apache TomEE
✓
✓
✓
Apache ActiveMQ
✓
✓
✓
Tribestream API Gateway
✓
✓
✓
SLA
24x7
24x7
24x7
Response Time
1hr
1hr
1hr
Incidents
unlimited
unlimited
unlimited
CVE Patching
unlimited
unlimited
unlimited
Developer Questions
1 parallel
2 parallel
4 parallel
Admin Contacts
2
3
4
Phone, Email, Portal
✓
✓
✓
Professional Services
3 days
5 days
10 days
Training
2 days
3 days
5 days
Feature Development
10 days
17 days
25 days
Close Menu
Binary Subscriptions
TomEE for Oracle Insurance Policy Administration Suite
TomEE for OpenText Web Experience Management
TomEE for OpenText Process Suite Platform
TomEE for OpenText AppWorks Platform
TomEE for Dassault Systemes SIMULIA Isight
TomEE for Dassault Systemes 3DEXPERIENCE Platform
Tomcat for Dassault Systemes ENOVIA
Tomcat for Progress OpenEdge
Support Subscriptions
Apache TomEE Support
Apache ActiveMQ Support
Apache Tomcat Support
CVE Patching
Enterprise Support
Tomitribe Community Partnership Program
CVE Index
Resources
Blog
Case Studies & Reports
Tribe’s Videos
Company
About Tomitribe
Community
Contact Us
Login
Get A Quote
twitter
facebook
linkedin
youtube
github