The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.65-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2023-005 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was     configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x     only), Tomcat did not reject a request containing an invalid Content-Length header making a request     smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the     request with the invalid header. (CVE-2022-42252)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 8.5.87-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2023-013 advisory.

  - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote     Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able     to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords     used to access the JMX interface. The attacker can then use these credentials to access the JMX interface     and gain complete control over the Tomcat instance. (CVE-2019-12418)

  - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98     there was a narrow window where an attacker could perform a session fixation attack. The window was     considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has     been treated as a security vulnerability. (CVE-2019-17563)

  - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to     10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could     trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of     service. (CVE-2020-13935)

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting     in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note     that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is     not enabled by default and must be explicitly configured. (CVE-2023-24998)

  - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the     X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,     10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This     could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-176 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the     X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,     10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This     could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat8 installed on the remote host is prior to 8.5.87-1.92. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1732 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the     X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,     10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This     could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4257-1 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was     configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x     only), Tomcat did not reject a request containing an invalid Content-Length header making a request     smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the     request with the invalid header. (CVE-2022-42252)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:4221-1 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was     configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x     only), Tomcat did not reject a request containing an invalid Content-Length header making a request     smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the     request with the invalid header. (CVE-2022-42252)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2022:4009-1 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5265 advisory.

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat     10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local     attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue     is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3160 advisory.

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat     10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local     attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue     is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 8.5.x to 8.5.77, 9.0.0-M1 to 9.0.60, 10.0.0-M1 to 10.0.18 or 10.1.0-M1 to 10.1.0-M12. It is, therefore, affected by a information disclosure vulnerability. The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 8.5.78. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.78_security-8 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.62. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.62_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.0.M14. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.0-m14_security-10 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug that could     cause client connections to share an Http11Processor instance resulting in responses, or part responses,     to be received by the wrong client. (CVE-2021-43980)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.x prior to 9.0.62.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

The version of Apache Tomcat installed on the remote host is 10.x prior to 10.0.20.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

The version of Apache Tomcat installed on the remote host is 8.x prior to 8.5.78.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

ID	Name	Product	Family	Severity
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	critical
181989	Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-005)	Nessus	Amazon Linux Local Security Checks	high
181934	Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-013)	Nessus	Amazon Linux Local Security Checks	high
175066	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2023-176)	Nessus	Amazon Linux Local Security Checks	high
174622	Amazon Linux AMI : tomcat8 (ALAS-2023-1732)	Nessus	Amazon Linux Local Security Checks	medium
168252	SUSE SLES15 Security Update : tomcat (SUSE-SU-2022:4257-1)	Nessus	SuSE Local Security Checks	high
168200	SUSE SLES15 Security Update : tomcat (SUSE-SU-2022:4221-1)	Nessus	SuSE Local Security Checks	high
167786	SUSE SLES12 Security Update : tomcat (SUSE-SU-2022:4009-1)	Nessus	SuSE Local Security Checks	low
166706	Debian DSA-5265-1 : tomcat9 - security update	Nessus	Debian Local Security Checks	high
166572	Debian DLA-3160-1 : tomcat9 - LTS security update	Nessus	Debian Local Security Checks	high
113378	Apache Tomcat 8.5.x < 8.5.78 Information Disclosure	Web App Scanning	Component Vulnerability	low
113377	Apache Tomcat 9.0.0-M1 < 9.0.62 Information Disclosure	Web App Scanning	Component Vulnerability	low
113376	Apache Tomcat 10.0.0-M1 < 10.0.20 Information Disclosure	Web App Scanning	Component Vulnerability	low
113375	Apache Tomcat 10.1.0-M1 < 10.1.0-M14 Information Disclosure	Web App Scanning	Component Vulnerability	low
701425	Apache Tomcat < 8.5.78 Vulnerability	Nessus Network Monitor	Web Servers	medium
701424	Apache Tomcat < 9.0.62 Vulnerability	Nessus Network Monitor	Web Servers	medium
165511	Apache Tomcat 10.1.0.M1 < 10.1.0.M14 vulnerability	Nessus	Web Servers	low
159464	Apache Tomcat 9.0.0.M1 < 9.0.62 Spring4Shell (CVE-2022-22965) Mitigations	Nessus	Web Servers	low
159463	Apache Tomcat 10.0.0.M1 < 10.0.20 Spring4Shell (CVE-2022-22965) Mitigations	Nessus	Web Servers	low
159462	Apache Tomcat 8.x < 8.5.78 Spring4Shell (CVE-2022-22965) Mitigations	Nessus	Web Servers	low

Detections

Analytics

CVE-2021-43980

low

Tenable Plugins

critical

high

high

high

medium

high

high

low

high

high

low

low

low

low

medium

medium

low

low

low

low