Content
Apache Tomcat 11.x vulnerabilities
This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat® 11.x. Each vulnerability is given a
security impact rating by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
is known to affect, and where a flaw has not been verified list the
version with a question mark.
Note: Vulnerabilities that are not Tomcat vulnerabilities
but have either been incorrectly reported against Tomcat or where Tomcat
provides a workaround are listed at the end of this page.
Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 11.0.x those are
building.html
and
BUILDING.txt
.
Both files can be found in the webapps/docs
subdirectory
of a binary distribution. You may also want to review the
Security Considerations
page in the documentation.
If you need help on building or configuring Tomcat or other help on
following the instructions to mitigate the known vulnerabilities listed
here, please send your questions to the public
Tomcat Users mailing list
If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has security
impact, or if the descriptions here are incomplete,
please report them privately to the
Tomcat Security Team. Thank you.
Table of Contents
2024-11-10 Fixed in Apache Tomcat 11.0.1
Important: XSS in generated JSPs
CVE-2024-52318
The fix for improvement 69333 caused pooled JSP tags not to be
released after use which in turn could cause output of some tags not to
escaped as expected. This unescaped output could lead to XSS.
This was fixed with commit
8d1fc473.
The issue was made public on 18 November 2024.
Affects: 11.0.0
2024-10-09 Fixed in Apache Tomcat 11.0.0
Important: Request and/or response mix-up
CVE-2024-52317
Incorrect recycling of the request and response used by HTTP/2 requests
could lead to request and/or response mix-up between users.
This was fixed with commit
9e840cca.
This issue was identified by the Tomcat Security Team on 1 October 2024.
The issue was made public on 18 November 2024.
Affects: 11.0.0-M23 to 11.0.0-M26
Low: Authentication Bypass
CVE-2024-52316
If Tomcat was configured to use a custom Jakarta Authentication (formerly
JASPIC) ServerAuthContext component which may throw an exception during
the authentication process without explicitly setting an HTTP status to
indicate failure, the authentication may not have failed, allowing the
user to bypass the authentication process. There are no known Jakarta
Authentication components that behave in this way.
This was fixed with commit
6d097a66.
This issue was identified by the Tomcat Security Team on 19 September
2024. The issue was made public on 18 November 2024.
Affects: 11.0.0-M1 to 11.0.0-M26
2024-06-18 Fixed in Apache Tomcat 11.0.0-M21
Important: Denial of Service
CVE-2024-34750
When processing an HTTP/2 stream, Tomcat did not handle some cases of
excessive HTTP headers correctly. This led to a miscounting of active
HTTP/2 streams which in turn led to the use of an incorrect infinite
timeout which allowed connections to remain open which should have been
closed.
This was fixed with commit
2344a4c0.
This issue was reported to the Tomcat Security Team on 4 May 2024. The
issue was made public on 3 July 2024.
Affects: 11.0.0-M1 to 11.0.0-M20
Important: Denial of Service
CVE-2024-38286
Tomcat, under certain configurations on any platform, allows an attacker
to cause an OutOfMemoryError by abusing the TLS handshake process.
This was fixed with commit
31978626.
This issue was reported to the Tomcat Security Team on 4 June 2024. The
issue was made public on 23 September 2024.
Affects: 11.0.0-M1 to 11.0.0-M20
2024-02-19 Fixed in Apache Tomcat 11.0.0-M17
Important: Denial of Service
CVE-2024-23672
It was possible for a WebSocket client to keep a WebSocket connection
open leading to increased resource consumption.
This was fixed with commit
b0e3b1bd.
This issue was identified by the Tomcat Security Team on 17 January 2024.
The issue was made public on 13 March 2024.
Affects: 11.0.0-M1 to 11.0.0-M16
Important: Denial of Service
CVE-2024-24549
When processing an HTTP/2 request, if the request exceeded any of the
configured limits for headers, the associated HTTP/2 stream was not reset
until after all of the headers had been processed.
This was fixed with commit
810f49d5.
This issue was reported to the Tomcat Security Team on 24 January 2024. The
issue was made public on 13 March 2024.
Affects: 11.0.0-M1 to 11.0.0-M16
2023-10-10 Fixed in Apache Tomcat 11.0.0-M12
Important: Request smuggling
CVE-2023-45648
Tomcat did not correctly parse HTTP trailer headers. A specially crafted,
invalid trailer header could cause Tomcat to treat a single request as
multiple requests leading to the possibility of request smuggling when
behind a reverse proxy.
This was fixed with commit
eb5c094e.
This issue was reported to the Tomcat Security Team on 12 September 2023.
The issue was made public on 10 October 2023.
Affects: 11.0.0-M1 to 11.0.0-M11
Important: Denial of Service
CVE-2023-44487
Tomcat's HTTP/2 implementation was vulnerable to the rapid reset
attack. The denial of service typically manifested as an
OutOfMemoryError
.
This was fixed with commit
9cdfe25b.
This issue was reported to the Tomcat Security Team on 14 September 2023.
The issue was made public on 10 October 2023.
Affects: 11.0.0-M1 to 11.0.0-M11
Important: Information Disclosure
CVE-2023-42795
When recycling various internal objects, including the request and the
response, prior to re-use by the next request/response, an error could
cause Tomcat to skip some parts of the recycling process leading to
information leaking from the current request/response to the next.
This was fixed with commit
d6db22e4.
This issue was identified by the Tomcat Security Team on 13 September
2023. The issue was made public on 10 October 2023.
Affects: 11.0.0-M1 to 11.0.0-M11
2023-08-25 Fixed in Apache Tomcat 11.0.0-M11
Moderate: Open redirect
CVE-2023-41080
If the ROOT (default) web application is configured to use FORM
authentication then it is possible that a specially crafted URL could be
used to trigger a redirect to an URL of the attackers choice.
This was fixed with commit
e3703c9a.
This issue was reported to the Tomcat Security Team on 17 August 2023. The
issue was made public on 22 August 2023.
Affects: 11.0.0-M1 to 11.0.0-M10
Important: Request smuggling
CVE-2023-46589
Tomcat did not correctly parse HTTP trailer headers. A specially crafted
trailer header that exceeded the header size limit could cause Tomcat to
treat a single request as multiple requests leading to the possibility of
request smuggling when behind a reverse proxy.
This was fixed with commit
6f181e10.
This issue was reported to the Tomcat Security Team on 20 October 2023.
The issue was made public on 28 November 2023.
Affects: 11.0.0-M1 to 11.0.0-M10
2023-05-09 Fixed in Apache Tomcat 11.0.0-M6
Important: Information disclosure
CVE-2023-34981
The fix for bug 66512 introduced a regression that was fixed
as bug 66591. The regression meant that, if a response did not
have any HTTP headers set, no AJP SEND_HEADERS
message would
be sent which in turn meant that at least one AJP based proxy
(mod_proxy_ajp) would use the response headers from the previous request
for the current request leading to an information leak.
This was fixed with commit
739c7381.
This issue was reported to the Tomcat Security Team on 24 May 2023. The
issue was made public on 21 June 2023.
Affects: 11.0.0-M5
2023-04-19 Fixed in Apache Tomcat 11.0.0-M5
Moderate: Apache Tomcat denial of service
CVE-2023-28709
The fix for CVE-2023-24998 was incomplete. If non-default HTTP
connector settings were used such that the maxParameterCount
could be reached using query string parameters and a request was
submitted that supplied exactly maxParameterCount
parameters
in the query string, the limit for uploaded request parts could be
bypassed with the potential for a denial of service to occur.
This was fixed with commit
d53d8e7f.
This issue was reported to the Tomcat Security Team on 13 March 2023. The
issue was made public on 22 May 2023.
Affects: 11.0.0-M2 to 11.0.0-M4
2023-02-23 Fixed in Apache Tomcat 11.0.0-M3
Important: Apache Tomcat information disclosure
CVE-2023-28708
When using the RemoteIpFilter
with requests received from a
reverse proxy via HTTP that include the X-Forwarded-Proto
header set to https
, session cookies created by Tomcat did not
include the secure attribute. This could result in the user agent
transmitting the session cookie over an insecure channel.
This was fixed with commit
c64d496d.
66471 was reported publicly on 8 February 2023. The security
implications were identified by the Tomcat Security team on 9 February
2023. The issue was made public on 22 March 2023.
Affects: 11.0.0-M1 to 11.0.0-M2
Note: The issue below was fixed in Apache Tomcat 11.0.0-M2 but the
release vote for the 11.0.0-M2 release candidate did not pass. Therefore,
although users must download 11.0.0-M3 to obtain a version that includes
a fix for these issues, version 11.0.0-M2 is not included in the list of
affected versions.
Important: Apache Tomcat denial of service
CVE-2023-24998
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload
to provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the
Apache Commons FileUpload vulnerability CVE-2023-24998 as
there was no limit to the number of request parts processed. This
resulted in the possibility of an attacker triggering a DoS with a
malicious upload or series of uploads.
This was fixed with commit
063e2e81.
This issue was reported to the Apache Tomcat Security team on 11
December 2022. The issue was made public on 20 February 2023.
Affects: 11.0.0-M1