Detections
Analytics
Apache Tomcat 9.0.0-M1 < 9.0.116 Multiple Vulnerabilities
high Web App Scanning Plugin ID 115220
Synopsis
Apache Tomcat 9.0.0-M1 < 9.0.116 Multiple VulnerabilitiesDescription
The version of Apache Tomcat installed on the remote host is 9.0.0-M1 prior to 9.0.116, 10.1.0-M1 prior to 10.1.53 or 11.0.0-M1 prior to 11.0.20. It is, therefore, affected by multiple vulnerabilities :- The EncryptInterceptor used CBC by default which is vulnerable to a padding Oracle attack. (CVE-2026-29146)
- The validation of SNI name and host name did not take account of possible differences in case allowing the strict SNI checks to be bypassed. This is an incomplete fix for CVE-2025-66614. (CVE-2026-32990)
- CLIENT_CERT authentication did not fail OCSP checks as expected for some scenarios when soft fail was disabled. (CVE-2026-29145)
- The addition of the ability to configure TLS 1.3 cipher suites did not preserve the order of the configured cipher suites and ciphers. (CVE-2026-29129)
- When a Tomcat node in a cluster with the LoadBalancerDrainingValve was in the disabled (draining) state, a specially crafted URL could be used to trigger a redirect to a URI of the attacker's choice. (CVE-2026-25854)
- Tomcat did not validate the contents of HTTP/1.1 chunk extensions. This enabled a request smuggling attack if a reverse proxy in front of Tomcat allowed CRLF sequences in an otherwise valid chunk extension. (CVE-2026-24880)
Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade to Apache Tomcat version 9.0.116 or later.See Also
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116
Plugin Details
Severity: High
ID: 115220
Type: Version Based
Family: Component Vulnerability
Published: 4/14/2026
Updated: 4/14/2026
Scan Template: api, basic, full, pci, scan
Risk Information
VPR
Risk Factor: Medium
Score: 6.0
CVSS v2
Risk Factor: High
Base Score: 9.4
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N
CVSS Score Source: CVE-2026-29145
CVSS v3
Risk Factor: Critical
Base Score: 9.1
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CVSS Score Source: CVE-2026-29145
CVSS v4
Risk Factor: High
Base Score: 8.7
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: CVE-2026-29146
Vulnerability Information
CPE: cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Vulnerability Publication Date: 3/19/2026
Reference Information
CVE: CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145, CVE-2026-29146, CVE-2026-32990
CWE: 20, 209, 287, 327, 444, 601, 642
OWASP: 2010-A10, 2010-A3, 2010-A4, 2010-A6, 2010-A9, 2013-A10, 2013-A2, 2013-A4, 2013-A5, 2013-A6, 2013-A9, 2017-A2, 2017-A3, 2017-A5, 2017-A6, 2017-A9, 2021-A1, 2021-A2, 2021-A3, 2021-A4, 2021-A6, 2021-A7, 2025-A1, 2025-A10, 2025-A4, 2025-A5, 2025-A6, 2025-A7
WASC: HTTP Request Smuggling, Improper Input Handling, Information Leakage, Insufficient Authentication, Insufficient Transport Layer Protection, URL Redirector Abuse
CAPEC: 10, 101, 104, 105, 108, 109, 110, 114, 115, 120, 13, 135, 136, 14, 151, 153, 182, 194, 20, 209, 215, 22, 23, 230, 231, 24, 250, 261, 267, 28, 3, 31, 33, 42, 43, 45, 459, 46, 463, 47, 473, 475, 52, 53, 54, 57, 588, 593, 608, 614, 63, 633, 64, 650, 67, 7, 71, 72, 73, 78, 79, 8, 80, 81, 83, 85, 88, 9, 94, 97
DISA STIG: APSC-DV-000460, APSC-DV-002440, APSC-DV-002560, APSC-DV-002570, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a)(1), 164.312(a)(2)(i), 164.312(e)
ISO: 27001-A.10.1.2, 27001-A.13.1.1, 27001-A.13.1.3, 27001-A.13.2.1, 27001-A.14.1.2, 27001-A.14.1.3, 27001-A.14.2.5, 27001-A.18.1.3, 27001-A.6.2.2, 27001-A.9.1.2, 27001-A.9.4.1, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-3, sp800_53-AC-4, sp800_53-CM-6b, sp800_53-SC-12, sp800_53-SI-10, sp800_53-SI-11
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-14.3.1, 4.0.2-5.1.3, 4.0.2-5.1.5, 4.0.2-9.1.2
PCI-DSS: 3.2-2.2, 3.2-6.2, 3.2-6.5, 3.2-6.5.10, 3.2-6.5.3, 3.2-6.5.4, 3.2-6.5.5, 3.2-6.5.8