All errata/p10/ALT-PU-2022-3296-3
ALT-PU-2022-3296-3

Package update tomcat in branch p10

Version9.0.59-alt1_3jpp11
Task#309784
Published2024-12-25
Max severityHIGH
Severity:

Closed issues (8)

BDU:2021-03686
MEDIUM4.8

Уязвимость реализации модуля JNDIRealm сервера приложений Apache Tomcat, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2021-07-20Modified: 2025-05-05
CVSS 3.xMEDIUM 4.8
CVSS:3.x/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:H/Au:N/C:P/I:P/A:N
References
BDU:2021-03688
MEDIUM5.3

Уязвимость сервера приложений Apache Tomcat, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю отправить скрытый HTTP-запрос

Published: 2021-07-20Modified: 2025-07-29
CVSS 3.xMEDIUM 5.3
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
References
BDU:2021-06115
HIGH7.5

Уязвимость сервера приложений Apache Tomcat, связанная с утечкой памяти, позволяющая нарушителю вызвать отказ в обслуживании

Published: 2021-12-16Modified: 2025-07-29
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
References
BDU:2022-06690
HIGH7.0

Уязвимость сервера приложений Apache Tomcat, связанная с ошибками синхронизации при использовании общего ресурса, позволяющая нарушителю повысить свои привилегии

Published: 2022-11-09Modified: 2025-07-29
CVSS 3.xHIGH 7.0
CVSS:3.x/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0MEDIUM 6.0
CVSS:2.0/AV:L/AC:H/Au:S/C:C/I:C/A:C
References
CVE-2021-30640
MEDIUM6.5

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

Published: 2021-07-12Modified: 2024-11-21
CVSS 2.0MEDIUM 5.8
CVSS:2.0/AV:N/AC:M/Au:N/C:P/I:P/A:N
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N
References
CVE-2021-33037
MEDIUM5.3

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Published: 2021-07-12Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:P/A:N
CVSS 3.xMEDIUM 5.3
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
References
CVE-2021-42340
HIGH7.5

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

Published: 2021-10-14Modified: 2024-11-21
CVSS 2.0MEDIUM 5.0
CVSS:2.0/AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 3.xHIGH 7.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
References
CVE-2022-23181
HIGH7.0

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

Published: 2022-01-27Modified: 2024-11-21
CVSS 2.0LOW 3.7
CVSS:2.0/AV:L/AC:H/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 7.0
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
References

Closed bugs (1)

Bug #40819

Jasper is unabled to compile class for JSP