Apache Tomcat, a widely used open-source web server software, has faced numerous security vulnerabilities in recent years.
Some critical issues put servers at risk of remote code execution (RCE) and other attacks.
These vulnerabilities highlight the importance of keeping software up-to-date and properly configured to prevent potential exploits.
Below is a formatted table summarizing the CVEs mentioned in the Apache Tomcat vulnerabilities:
CVE | Vulnerability Type | Description | Affected Versions |
---|---|---|---|
CVE-2025-24813 | Remote Code Execution and Information Disclosure | Temporary file vulnerability in partial PUT operations allowing access to security-sensitive files and potential RCE with certain conditions. | 11.0.0-M1 to 11.0.2 |
CVE-2024-56337 | Remote Code Execution | Incomplete mitigation for CVE-2024-50379, requiring additional configuration on case-insensitive file systems. | 11.0.0-M1 to 11.0.1 |
CVE-2024-54677 | Denial of Service | OutOfMemoryError in examples web app due to unlimited uploaded data. | 11.0.0-M1 to 11.0.1 |
CVE-2024-50379 | Remote Code Execution | RCE via write-enabled default servlet on case-insensitive file systems. | 11.0.0-M1 to 11.0.1 |
CVE-2024-52318 | Cross-Site Scripting (XSS) | Unescaped output from pooled JSP tags could lead to XSS. | 11.0.0 |
CVE-2024-52317 | Request and Response Mix-up | Incorrectly recycled HTTP/2 requests could lead to data mix-ups between users. | 11.0.0-M23 to 11.0.0-M26 |
CVE-2024-52316 | Authentication Bypass | Potential bypass if custom authentication components throw exceptions without setting failure status. | 11.0.0-M1 to 11.0.0-M26 |
CVE-2024-38286 | Denial of Service | OutOfMemoryError triggered by abusing the TLS handshake process. | 11.0.0-M1 to 11.0.0-M20 |
CVE-2024-34750 | Denial of Service | Incorrect handling of HTTP/2 streams led to miscounting active streams. | 11.0.0-M1 to 11.0.0-M20 |
CVE-2024-23672 | Denial of Service | WebSocket clients could keep connections open for resource exhaustion. | 11.0.0-M1 to 11.0.0-M16 |
CVE-2024-24549 | Denial of Service | Failure to reset HTTP/2 streams after exceeding header limits. | 11.0.0-M1 to 11.0.0-M16 |
CVE-2023-45648 | Request Smuggling | Incorrect parsing of HTTP trailer headers could lead to request smuggling. | 11.0.0-M1 to 11.0.0-M11 |
CVE-2023-44487 | Denial of Service | Rapid reset attack could cause OutOfMemoryError via HTTP/2 implementation. | 11.0.0-M1 to 11.0.0-M11 |
CVE-2023-42795 | Information Disclosure | Incomplete request/response recycling could lead to information leaks. | 11.0.0-M1 to 11.0.0-M11 |
CVE-2023-41080 | Open Redirect | Specially crafted URLs could trigger redirects under certain conditions. | 11.0.0-M1 to 11.0.0-M10 |
CVE-2023-46589 | Request Smuggling | Trailer headers exceeding size limits could cause request smuggling. | 11.0.0-M1 to 11.0.0-M10 |
CVE-2023-34981 | Information Disclosure | Regression in AJP SEND_HEADERS message processing could leak headers. | 11.0.0-M5 |
CVE-2023-28709 | Denial of Service | Incomplete fix for previous DoS vulnerability, affecting query string parameters. | 11.0.0-M2 to 11.0.0-M4 |
CVE-2023-28708 | Information Disclosure | Session cookies lacked secure attribute when using RemoteIpFilter. | 11.0.0-M1 to 11.0.0-M2 |
CVE-2023-24998 | Denial of Service | Unrestricted file upload parts could lead to resource exhaustion. | 11.0.0-M1 |
The ongoing series of vulnerabilities in Apache Tomcat underscores the importance of maintaining robust security measures and staying up-to-date with the latest software updates.
While many of these issues are mitigated through updates, understanding the nature of these vulnerabilities helps administrators better secure their servers against potential threats.
Continuous monitoring and maintenance are crucial in protecting servers from both known and emerging risks.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
SIM swapping fraud continues to pose a significant threat to individuals and financial institutions, despite…
A new ransomware variant, known as Ebyte Ransomware, has emerged as a significant threat to…
Historically, NULL pointer dereferences have been a significant vulnerability in operating systems, including macOS. These…
A newly disclosed security vulnerability in Apache Camel, tracked as CVE-2025-27636, has raised alarms across the…
Google has issued a warning to Chromecast owners regarding the potential risks of performing a…
A concerning cybersecurity threat has emerged with the discovery of AI-generated fake GitHub repositories designed…