Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
The vulnerability results from the lack of proper verification of user-supplied input data to the Apache Tomcat server. An attacker can send an appropriately crafted network request without the need for authentication or user interaction. The attack vector is network-based, and attack complexity is low, making the vulnerability exceptionally easy to exploit.
Successful exploitation of this vulnerability may result in complete loss of confidentiality, integrity, and availability of the system — an attacker can gain unauthorized access to data, modify server content, or cause its unavailability.
Apply patches available from the vendor according to the references (the target fixed version was not explicitly indicated in the description — it is recommended to verify the Apache mailing list and official vendor references). In the meantime, it is worth considering restricting network access to the Tomcat server using a firewall.
Apache Tomcat in versions: from 11.0.0-M1 to 11.0.21, from 10.1.0-M1 to 10.1.54, from 9.0.0.M1 to 9.0.117, from 10.0.0-M1 to 10.0.27. Older, unsupported versions may also be vulnerable.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HApache Tomcat
APPApache8.5.0 – 8.5.1009.0.0 – 9.0.118 (bez)10.0.0 – 10.0.2710.1.0 – 10.1.55 (bez)11.0.0 – 11.0.22 (bez)
Related vulnerabilities
Apache Tomcat: Path Equivalence prowadzący do RCE i ujawnienia danych
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache To...
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5....
Detection of Error Condition Without Action vulnerability in Apache Tomcat when configuring CRLs for a FFM bas...
Always-Incorrect Control Flow Implementation vulnerability in Apache Tomcat meant that special roles and empty...