The Apache Software Foundation released Apache security updates for Vulnerabilities that affects multiple versions of Apache Tomcat.
The codes for Apache project written by more than 6,000 volunteer individuals and employees from various corporation across six continents.
Apache missing hostname verification when using TLS with WebSocket client was missing, now it has been enabled by default. The Low severity bug reported publicly on 11 June 2018 and the vulnerability fixed on 22 July 2018. It receives CVSS3 Base Score 4.3.
The vulnerability affects 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.35 to 7.0.88 and it has been fixed with versions 9.0.10, 8.5.32, 8.0.53, 7.0.90 or later versions.
Another important vulnerability is with the improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. It receives CVSS3 Base Score 7.5 and the attack complexity is low.
Affected versions 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, 7.0.28 to 7.0.86 and the vulnerability was fixed with 7.0.90, 8.0.52, 8.5.32, 9.0.7 or later versions.
A critical bug with connection closures may allow attackers to reuse the user sessions with the new connection. It receives CVSS3 Base Score 9.1 and the attack complexity is low.
The vulnerability impacts 9.0.0.M9 to 9.0.9, 8.5.5 to 8.5.31 and the vulnerability was fixed with 8.5.32, 9.0.10 or later.
A remote attacker could exploit any one of these vulnerabilities to extract sensitive information. Server administrators are recommended to apply the Apache security updates to mitigate the risks.
Lynis – Open Source Security Auditing & Pentesting Tool – A Detailed Explanation
Apache Struts2 Remote Code Execution Vulnerability S2-046
New Apache Struts Vulnerability Allows Attackers to Take Control Over Web Servers
Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain," which…
A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically simplifying…
A high-severity vulnerability (CVE-2025-46762) has been discovered in Apache Parquet Java, exposing systems using the…
National Cyber Security Centre (NCSC) has issued technical guidance following a series of cyber attacks…
Claude AI, developed by Anthropic, has been exploited by malicious actors in a range of…
As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…