pkg:Debian/tomcat11

All known vulnerabilities

• CRITICAL9.8CVE-2026-43512Apache Tomcat: Digest authenticator will authenticate any unknown user
  from 0
• CRITICAL9.8CVE-2026-41293Apache Tomcat: HTTP/2 request headers not validated
  from 0
• CRITICAL9.8Apache Tomcat: Bypass of rules in Rewrite Valve
  from 0, < 11.0.6-1
• CRITICAL9.6Apache Tomcat: console manipulation via escape sequences in log messages
  from 0, < 11.0.15-1~deb13u1
• CRITICAL9.1Apache Tomcat: Security constraints not correctly applied
  from 0
• CRITICAL9.1Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled
  from 0
• CRITICAL9.1Apache Tomcat: Client certificate verification bypass due to virtual host mapping
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
  from 0
• HIGH7.5Apache Tomcat: LockOutRealm treats user names as case-sensitive
  from 0
• HIGH7.5Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
  from 0
• HIGH7.5Apache Tomcat: Incomplete escaping of JSON access logs
  from 0
• HIGH7.5Apache Tomcat: Request smuggling via invalid chunk extension
  from 0
• HIGH7.5Apache Tomcat: TLS cipher order is not preserved
  from 0
• HIGH7.5Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default
  from 0
• HIGH7.5Apache Tomcat Native, Apache Tomcat: OCSP revocation bypass
  from 0
• HIGH7.5Apache Tomcat: Directory traversal via rewrite with possible RCE if PUT is enabled
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Tomcat: h2 DoS - Made You Reset
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Tomcat: DoS via excessive h2 streams at connection start
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Tomcat: DoS via integer overflow in multipart file upload
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Tomcat: Security constraint bypass for pre/post-resources
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Commons FileUpload, Apache Commons FileUpload: FileUpload DoS via part headers
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Tomcat: FileUpload large number of parts with headers DoS
  from 0, < 11.0.15-1~deb13u1
• HIGH7.5Apache Tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame
  from 0, < 11.0.6-1
• HIGH7.3Apache Tomcat: WebSocket authentication header exposure
  from 0
• HIGH7.3Apache Tomcat: Security constraint bypass for CGI scripts
  from 0, < 11.0.15-1~deb13u1
• HIGH7.3Apache Tomcat: Security constraint bypass for CGI scripts
  from 0, < 11.0.15-1~deb13u1
• MEDIUM6.5Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
  from 0
• MEDIUM6.5Apache Tomcat: session fixation via rewrite valve
  from 0, < 11.0.15-1~deb13u1
• MEDIUM6.1Apache Tomcat: Occasionally open redirect
  from 0
• MEDIUM5.3Apache Tomcat: Fix for CVE-2025-66614 is incomplete
  from 0
• MEDIUM5.3Apache Tomcat: Delayed cleaning of multi-part upload temporary files may lead to DoS
  from 0, < 11.0.15-1~deb13u1
• LOW3.7Apache Tomcat: AJP secret compared in non-constant time
  from 0
• LOW3.7Apache Tomcat: Security constraint bypass with HTTP/0.9
  from 0, < 11.0.15-1~deb13u1