All errata/sisyphus/ALT-PU-2026-6771-2
ALT-PU-2026-6771-2

Package update tomcat10 in branch sisyphus

Version10.1.54-alt1_jvm17
Published2026-05-23
Max severityHIGH
Severity:

Closed issues (12)

BDU:2026-05544
HIGH7.5

Уязвимость сервера приложений Apache Tomcat, связанная с недостатками шифрования конфиденциальных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-04-16
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
BDU:2026-07145
HIGH7.5

Уязвимость сервера приложений Apache Tomcat, связанная с недостатком механизма кодирования или экранирования выходных данных, позволяющая нарушителю выполнить произвольный код

Published: 2026-05-21Modified: 2026-05-26
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
BDU:2026-07146
MEDIUM6.5

Уязвимость сервера приложений Apache Tomcat, связанная c недостатками процедуры аутентификации, позволяющая нарушителю повысить свои привилегии

Published: 2026-05-21Modified: 2026-05-26
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
CVSS 2.0MEDIUM 6.1
CVSS:2.0/AV:N/AC:H/Au:N/C:C/I:P/A:N
BDU:2026-07147
HIGH7.5

Уязвимость сервера приложений Apache Tomcat, связанная с недостаточной защитой регистрационных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2026-05-21Modified: 2026-05-26
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0HIGH 7.8
CVSS:2.0/AV:N/AC:L/Au:N/C:C/I:N/A:N
CVE-2026-34483
HIGH7.5

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

Published: 2026-04-09Modified: 2026-06-17
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2026-34486
HIGH7.5

Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to the fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Published: 2026-04-09Modified: 2026-06-30
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2026-34487
HIGH7.5

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

Published: 2026-04-09Modified: 2026-06-17
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE-2026-34500
MEDIUM6.5

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

Published: 2026-04-09Modified: 2026-06-17
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N