The version of Apache Tomcat installed on the remote host is 8.5.7 to 8.5.63 and 9.0.0-M11 to 9.0.43. It is, therefore, affected by a request smuggling vulnerability.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.50-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2024-011 advisory.

    2024-02-15: CVE-2021-33037 was added to this advisory.

    Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

    Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue     affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.

    Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the     issue. (CVE-2024-21733)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.44. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.44_security-9 advisory.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

  - Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue     affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to     upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. (CVE-2024-21733)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:0829-1 advisory.

  - Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue     affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to     upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. (CVE-2024-21733)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tomcat8 installed on the remote host is prior to 8.5.69-1.88. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1547 advisory.

    Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

    A flaw was found in Apache Tomcat. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS,     a specially crafted packet can trigger an infinite loop, resulting in a denial of service. The highest     threat from this vulnerability is to system availability. (CVE-2021-41079)

    Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue     affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.

    Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the     issue. (CVE-2024-21733)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7562-1 advisory.

    It was discovered that Tomcat did not include the secure attribute for session cookies when using the     RemoteIpFilter with requests from a reverse proxy. An attacker could possibly use this issue to leak     sensitive information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for tomcat9 on Ubuntu     24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04. (CVE-2023-28708)

    It was discovered that Tomcat incorrectly recycled certain objects, which could lead to information     leaking from one request to the next. An attacker could potentially use this issue to leak sensitive     information. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS

    and for tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and

    Ubuntu 25.04. (CVE-2023-42795)

    It was discovered that Tomcat incorrectly handled HTTP trailer headers. A remote attacker could possibly     use this issue to perform HTTP request smuggling. This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and

    for tomcat9 on Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04. (CVE-2023-45648)

    It was discovered that Tomcat incorrectly handled incomplete POST requests, which could cause error     responses to contain data from previous requests. An attacker could potentially use this issue to leak     sensitive information.

    This issue was fixed for tomcat8 on Ubuntu 18.04 LTS and for tomcat9 on

    Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2024-21733)

    It was discovered that Tomcat incorrectly handled socket cleanup, which could lead to websocket     connections staying open. An attacker could possibly use this issue to cause a denial of service. This     issue was fixed

    for tomcat8 on Ubuntu 18.04 LTS, tomcat9 on Ubuntu 24.04 LTS,

    Ubuntu 24.10, and Ubuntu 25.04, and for tomcat10 on Ubuntu 24.04 LTS. (CVE-2024-23672)

    It was discovered that Tomcat incorrectly handled HTTP/2 requests that exceeded configured header limits.
    An attacker could possibly use this issue to cause a denial of service. (CVE-2024-24549)

    It was discovered that Tomcat incorrectly handled some cases of excessive HTTP headers when processing     HTTP/2 streams. This led to miscounting of active streams and incorrect timeout handling. An attacker     could possibly use this issue to cause connections to remain open indefinitely, leading to a denial of     service. This issue was fixed for tomcat9 on Ubuntu 22.04 LTS,

    Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04, and for tomcat10 on

    Ubuntu 24.04 LTS. (CVE-2024-34750)

    It was discovered that Tomcat incorrectly handled TLS handshake processes under certain configurations. An     attacker could possibly use this issue to cause a denial of service. This issue was fixed for tomcat9 on     Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS,

    Ubuntu 24.10, and Ubuntu 25.04, and for tomcat10 on Ubuntu 24.04 LTS.

    (CVE-2024-38286)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 8.5.69-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2024-017 advisory.

    2024-02-15: CVE-2021-30640 was added to this advisory.

    2024-02-15: CVE-2021-33037 was added to this advisory.

    A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

    Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

    Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue     affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.

    Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the     issue. (CVE-2024-21733)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.64. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.5.64_security-8 advisory.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

  - Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue     affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to     upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue. (CVE-2024-21733)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4017 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4017-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Markus Koschany     January 17, 2025                              https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : tomcat9     Version        : 9.0.43-2~deb11u11     CVE ID         : CVE-2024-21733 CVE-2024-38286 CVE-2024-50379 CVE-2024-52316                      CVE-2024-56337

    Several problems have been addressed in Tomcat 9, a Java based web server,     servlet and JSP engine which may lead to a denial-of-service or the disclosure     of sensitive information.

    CVE-2024-21733

        Generation of Error Message Containing Sensitive Information vulnerability         in Apache Tomcat.

    CVE-2024-38286

        Apache Tomcat, under certain configurations, allows an attacker to cause an         OutOfMemoryError by abusing the TLS handshake process.

    CVE-2024-52316

        Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is         configured to use a custom Jakarta Authentication (formerly JASPIC)         ServerAuthContext component which may throw an exception during the         authentication process without explicitly setting an HTTP status to         indicate failure, the authentication may not fail, allowing the user to         bypass the authentication process. There are no known Jakarta         Authentication components that behave in this way.

    CVE-2024-50379 / CVE-2024-56337

        Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP         compilation in Apache Tomcat permits an RCE on case insensitive file         systems when the default servlet is enabled for write (non-default         configuration).
        Some users may need additional configuration to fully mitigate         CVE-2024-50379 depending on which version of Java they are using with         Tomcat. For Debian 11 bullseye the system property         sun.io.useCanonCaches must be explicitly set to false (it defaults to         true). Most Debian users will not be affected because Debian uses case         sensitive file systems by default.

    For Debian 11 bullseye, these problems have been fixed in version     9.0.43-2~deb11u11.

    We recommend that you upgrade your tomcat9 packages.

    For the detailed security status of tomcat9 please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/tomcat9

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: This is a digitally signed message part

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
114215	Apache Tomcat 9.0.0-M11 < 9.0.44 Request Smuggling	Web App Scanning	Component Vulnerability	2/21/2024	2/21/2024	medium
114216	Apache Tomcat 8.5.7 < 8.5.64 Request Smuggling	Web App Scanning	Component Vulnerability	2/21/2024	2/21/2024	medium
190051	Amazon Linux 2 : tomcat (ALASTOMCAT9-2024-011)	Nessus	Amazon Linux Local Security Checks	2/6/2024	12/11/2024	medium
194473	Apache Tomcat 9.0.0.M1 < 9.0.44 multiple vulnerabilities	Nessus	Web Servers	4/29/2024	5/23/2024	medium
192015	SUSE SLES12 Security Update : tomcat (SUSE-SU-2024:0829-1)	Nessus	SuSE Local Security Checks	3/13/2024	3/15/2024	medium
154900	Amazon Linux AMI : tomcat8 (ALAS-2021-1547)	Nessus	Amazon Linux Local Security Checks	11/5/2021	4/11/2025	medium
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	3/8/2024	3/12/2024	critical
238065	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 24.10 / 25.04 : Tomcat vulnerabilities (USN-7562-1)	Nessus	Ubuntu Local Security Checks	6/10/2025	6/11/2025	high
190055	Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2024-017)	Nessus	Amazon Linux Local Security Checks	2/6/2024	12/11/2024	medium
194472	Apache Tomcat 8.5.0 < 8.5.64 multiple vulnerabilities	Nessus	Web Servers	4/29/2024	5/23/2024	medium
214321	Debian dla-4017 : libtomcat9-embed-java - security update	Nessus	Debian Local Security Checks	1/17/2025	3/13/2025	medium

Detections

Analytics

Plugins Search

medium

medium

medium

medium

medium

medium

critical

high

medium

medium

medium