tomcat10

Link package | bugs open | bugs closed | Wiki | GitHub | web search
Description Open source implementation of the Java Servlet 5.0 and JavaServer Pages 3.0 technologies
Version 10.1.40-1 [extra]

Open

Group Affected Fixed Severity Status Ticket
AVG-2888 10.1.40-1 High Vulnerable
Issue Group Severity Remote Type Description
CVE-2025-49125 AVG-2888 Low Yes Access restriction bypass
When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected...
CVE-2025-48988 AVG-2888 Medium Yes Denial of service
Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained,...
CVE-2025-48976 AVG-2888 Medium Yes Denial of service
Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request...
CVE-2025-46701 AVG-2888 Low Yes Access restriction bypass
When running on a case insensitive file system with security constraints configured for the pathInfo component of a URL that mapped to the CGI servlet, it...
CVE-2025-31650 AVG-2888 High Yes Denial of service
Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large...

Resolved

Group Affected Fixed Severity Status Ticket
AVG-2829 10.1.4-1 10.1.5-1 Medium Fixed
AVG-2469 10.0.11-1 10.0.12-1 High Fixed
Issue Group Severity Remote Type Description
CVE-2023-24998 AVG-2829 Medium Yes Denial of service
a packaged renamed copy of Apache Commons FileUpload packaged in tomcat was vulnerable to denial of service triggered by a malicious upload or series of uploads
CVE-2021-42340 AVG-2469 High Yes Denial of service
A security issue has been found in Apache Tomcat before versions 10.0.12, 9.0.54 and 8.5.72. The fix for bug 63362 introduced a memory leak. The object...