pkg:Debian/tomcat9

All known vulnerabilities

• CRITICAL9.8CVE-2025-24813⚠ KEVApache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
  from 0, < 9.0.43-2~deb11u12
• CRITICAL9.8CVE-2025-24813⚠ KEVApache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
  from 0, < 9.0.43-2~deb11u12
• CRITICAL9.8⚠ KEVImproper Privilege Management in Tomcat
  from 0, < 9.0.31-1
• MEDIUM5.3⚠ KEVnghttp2 - security update
  from 0, < 9.0.43-2~deb11u7
• CRITICAL9.8Apache Tomcat: HTTP/2 request headers not validated
  from 0, < 9.0.70-2
• CRITICAL9.8Apache Tomcat: Digest authenticator will authenticate any unknown user
  from 0, < 9.0.70-2
• CRITICAL9.8Apache Tomcat: Bypass of rules in Rewrite Valve
  from 0, < 9.0.107-0+deb11u1
• CRITICAL9.8Apache Tomcat: RCE due to TOCTOU issue in JSP compilation - CVE-2024-50379 mitigation was incomplete
  from 0, < 9.0.43-2~deb11u11
• CRITICAL9.8Apache Tomcat: RCE due to TOCTOU issue in JSP compilation
  from 0, < 9.0.43-2~deb11u11
• CRITICAL9.8Apache Tomcat: Authentication bypass when using Jakarta Authentication API
  from 0, < 9.0.43-2~deb11u11
• CRITICAL9.6Apache Tomcat: console manipulation via escape sequences in log messages
  from 0, < 9.0.107-0+deb11u2
• CRITICAL9.1Apache Tomcat: Security constraints not correctly applied
  from 0, < 9.0.70-2
• CRITICAL9.1Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
  from 0, < 9.0.70-2
• CRITICAL9.1Apache Tomcat: Client certificate verification bypass due to virtual host mapping
  from 0, < 9.0.70-2
• HIGH8.6Apache Tomcat: Denial of Service
  from 0, < 9.0.43-2~deb11u11
• HIGH8.6Response mix-up with WebSocket concurrent send and close
  from 0, < 9.0.22-1
• HIGH7.5Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: LockOutRealm treats user names as case-sensitive
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: Incomplete escaping of JSON access logs
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: TLS cipher order is not preserved
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: Request smuggling via invalid chunk extension
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled
  from 0, < 9.0.107-0+deb11u2
• HIGH7.5Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled
  from 0, < 9.0.107-0+deb11u2
• HIGH7.5Apache Tomcat: h2 DoS - Made You Reset
  from 0, < 9.0.70-2
• HIGH7.5Apache Tomcat: DoS via excessive h2 streams at connection start
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: APR/Native Connector crash leading to DoS
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: DoS via integer overflow in multipart file upload
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: FileUpload large number of parts with headers DoS
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: Security constraint bypass for pre/post-resources
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: HTTP/2 excess header handling DoS
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: HTTP/2 excess header handling DoS
  from 0, < 9.0.107-0+deb11u1
• HIGH7.5Apache Tomcat: HTTP/2 header handling DoS
  from 0, < 9.0.43-2~deb11u10
• HIGH7.5Apache Tomcat: HTTP request smuggling via malformed trailer headers
  from 0, < 9.0.43-2~deb11u10
• HIGH7.5Apache Tomcat: HTTP request smuggling via malformed trailer headers
  from 0, < 9.0.43-2~deb11u10
• HIGH7.5Apache Tomcat: HTTP request smuggling via malformed trailer headers
  from 0, < 9.0.31-1~deb10u11
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.31-1~deb10u9
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.43-2~deb11u7
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.43-2~deb11u7
• HIGH7.5Apache Tomcat: JsonErrorReportValve escaping
  from 0, < 9.0.43-2~deb11u6
• HIGH7.5Apache Tomcat request smuggling via malformed content-length
  from 0, < 9.0.43-2~deb11u6
• HIGH7.5Apache Tomcat request smuggling via malformed content-length
  from 0, < 9.0.43-2~deb11u6
• HIGH7.5Apache Tomcat request smuggling via malformed content-length
  from 0, < 9.0.31-1~deb10u8
• HIGH7.5EncryptInterceptor does not provide complete protection on insecure networks
  from 0, < 9.0.43-2~deb11u4
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.31-1~deb10u2
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.36-1
• HIGH7.5Apache Tomcat: Request header mix-up between HTTP/2 streams
  from 0, < 9.0.40-1
• HIGH7.5Infinite Loop in Apache Tomcat
  from 0, < 9.0.37-1
• HIGH7.5tomcat8 - security update
  from 0, < 9.0.37-1
• HIGH7.5DoS via memory leak with WebSocket connections
  from 0, < 9.0.43-2~deb11u3
• HIGH7.5DoS via memory leak with WebSocket connections
  from 0, < 9.0.43-2~deb11u3
• HIGH7.5Apache Tomcat DoS with unexpected TLS packet
  from 0, < 9.0.43-2~deb11u2
• HIGH7.5Apache Tomcat DoS with unexpected TLS packet
  from 0, < 9.0.31-1~deb10u6
• HIGH7.5Apache Tomcat h2c request mix-up
  from 0, < 9.0.31-1~deb10u4
• HIGH7.5Apache Tomcat h2c request mix-up
  from 0, < 9.0.43-1
• HIGH7.5Apache Tomcat Denial of Service vulnerability
  from 0, < 9.0.16-1
• HIGH7.5tomcat8 - security update
  from 0, < 9.0.31-1
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.22-1
• HIGH7.5tomcat9 - security update
  from 0, < 9.0.31-1~deb10u1
• HIGH7.3Apache Tomcat: WebSocket authentication header exposure
  from 0, < 9.0.70-2
• HIGH7.3Apache Tomcat: Security constraint bypass for CGI scripts
  from 0, < 9.0.107-0+deb11u1
• HIGH7.0Local privilege escalation with FileStore
  from 0, < 9.0.43-2~deb11u4
• HIGH7.0Incomplete fix for CVE-2020-9484
  from 0, < 9.0.43-1
• HIGH7.0tomcat7 - security update
  from 0, < 9.0.35-1
• HIGH7.0tomcat8 - security update
  from 0, < 9.0.31-1
• MEDIUM6.5Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
  from 0, < 9.0.70-2
• MEDIUM6.5Apache Tomcat: session fixation via rewrite valve
  from 0, < 9.0.70-2
• MEDIUM6.5Auth weakness in JNDIRealm
  from 0, < 9.0.31-1~deb10u5
• MEDIUM6.5Auth weakness in JNDIRealm
  from 0, < 9.0.43-2~deb11u1
• MEDIUM6.3Apache Tomcat: WebSocket DoS with incomplete closing handshake
  from 0, < 9.0.43-2~deb11u10
• MEDIUM6.3Apache Tomcat: WebSocket DoS with incomplete closing handshake
  from 0, < 9.0.31-1~deb10u12
• MEDIUM6.1Apache Tomcat: Occasionally open redirect
  from 0, < 9.0.70-2
• MEDIUM6.1Apache Tomcat: Open redirect with FORM authentication
  from 0, < 9.0.43-2~deb11u7
• MEDIUM6.1XSS in examples web application
  from 0, < 9.0.65-1
• MEDIUM6.1tomcat7 - security update
  from 0, < 9.0.16-4
• MEDIUM5.9Apache Tomcat information disclosure
  from 0, < 9.0.40-1
• MEDIUM5.3Apache Tomcat: Fix for CVE-2025-66614 is incomplete
  from 0, < 9.0.70-2
• MEDIUM5.3Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS
  from 0, < 9.0.107-0+deb11u2
• MEDIUM5.3Apache Tomcat: DoS in examples web application
  from 0, < 9.0.107-0+deb11u1
• MEDIUM5.3Apache Tomcat: Leaking of unrelated request bodies in default error page
  from 0, < 9.0.43-2~deb11u11
• MEDIUM5.3Apache Tomcat: Leaking of unrelated request bodies in default error page
  from 0, < 9.0.43-2~deb11u11
• MEDIUM5.3Apache Tomcat: Trailer header parsing too lenient
  from 0, < 9.0.43-2~deb11u7
• MEDIUM5.3Apache Tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests
  from 0, < 9.0.43-2~deb11u7
• MEDIUM5.3Incorrect Transfer-Encoding handling with HTTP/1.0
  from 0, < 9.0.43-2~deb11u1
• MEDIUM4.8tomcat8 - security update
  from 0, < 9.0.31-1
• MEDIUM4.8Potential HTTP request smuggling in Apache Tomcat
  from 0, < 9.0.31-1
• MEDIUM4.3Apache Tomcat: JSESSIONID Cookie missing secure attribute in some configurations
  from 0, < 9.0.43-2~deb11u6
• MEDIUM4.3tomcat9 - security update
  from 0, < 9.0.31-1~deb10u3
• MEDIUM4.3tomcat9 - security update
  from 0, < 9.0.38-1
• LOW3.7Apache Tomcat: AJP secret compared in non-constant time
  from 0, < 9.0.70-2
• LOW3.7Apache Tomcat: Security constraint bypass with HTTP/0.9
  from 0, < 9.0.70-2
• LOW3.7Apache Tomcat: Information disclosure
  from 0, < 9.0.43-2~deb11u4
• LOW3.7Apache Tomcat: Information disclosure
  from 0, < 9.0.31-1~deb10u7
• LOW3.7Apache Tomcat: Information disclosure
  from 0, < 9.0.43-2~deb11u4