SynopsisApache Tomcat 9.0.0.M1 < 9.0.31 Multiple Vulnerabilities
DescriptionThe version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 or 7.0.0 to 7.0.99. It is, therefore, affected by multiple vulnerabilities :
- An arbitrary file read vulnerability in AJP protocol due to an implementation defect which could also be leveraged to achieve remote code execution.
- A HTTP request smuggling vulnerability due to some invalid HTTP headers parsed as valid.
- A HTTP request smuggling vulnerability due to invalid Transfer-Encoding headers incorrectly processed.
Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to Apache Tomcat version 9.0.31 or later.