Skip to main content

Common Vulnerabilities &

Exposures (CVE) Support

Tomitribe support has patched over 120+ CVEs on Apache Tomcat, TomEE & ActiveMQ.

Choose your server & see if your version is vulnerable.

Apache Tomcat is an open-source implementation of the Java Servlet, JavaServer Pages, Java Expression Language and WebSocket technologies.

Check Your Version

Apache TomEE is a lightweight, yet powerful, JavaEE Application server with feature rich tooling.

Check Your Version

Apache ActiveMQ is an open source message broker written in Java together with a full Java Message Service (JMS) client.

Check Your Version

Most recent CVEs

CVE
Severity
Description
Category
Affected
CVE-2024-28752
2024-03-08
0.0
A SSRF vulnerability using the Aegis DataBinding in versions of Apache CXF before 4.0.4, 3.6.3 and 3.5.8 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Users of other data bindings (including the default databinding) are not impacted.
datafunctional
CWE-918
Details
CVE-2024-24549
2024-01-25
0.0
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
dataoperational
CWE-20
Details
CVE-2024-23672
2024-01-19
0.0
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
dataoperational
CWE-459
Details
CVE-2024-21733
2024-01-01
3.1
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat.This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43. Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
dataoperational
CWE-209
Details
CVE-2023-51775
2023-12-25
0.0
The jose4j component before 0.9.4 for Java allows attackers to cause a denial of service (CPU consumption) via a large p2c (aka PBES2 Count) value.
data
n/a
Details
CVE-2023-46589
2023-10-23
7.5
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
dataoperational
CWE-444
Details
CVE-2023-33202
2023-05-18
5.5
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
data
n/a
Details
CVE-2023-46604
2023-10-24
10.0
The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
dataoperational
CWE-502:
Details
CVE-2023-31582
2023-04-29
6.5
jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less.
data
n/a
Details
CVE-2023-44483
2023-09-29
7.4
All versions of Apache Santuario - XML Security for Java prior to 2.2.6, 2.3.4, and 3.0.3, when using the JSR 105 API, are vulnerable to an issue where a private key may be disclosed in log files when generating an XML Signature and logging with debug level is enabled. Users are recommended to upgrade to version 2.2.6, 2.3.4, or 3.0.3, which fixes this issue.
configurationfunctional
CWE-532
Details

Vulnerability Playbook

Scan

365 days a year we automatically scan your exact versions of Tomcat, TomEE or ActiveMQ.

Discover & Notify

Vulnerabilities receive immediate attention from our support team & support tickets are created on your behalf in our portal.

Assess & React

We work collaboratively to help determine if your application is affected & backed by our support team, you react appropriately & own risk confidently

Patch & Rollout

The Tomitribe Support team immediately begins work on a patch for your version, new binaries are posted to your open ticket, & can be rolled out immediately.

Contact Us & Get Patched

We are ready to get on a call with you to answer any questions you may have.

Top 5 Tomcat Vulnerabilities Demonstrated

video previewPlay Video

Tribers’ David Blevins and Jonathan Gallimore join Sonatype  Nexus User Conference with Mark Miller to explain 5 Tomcat security vulnerabilities.

Talk to our Dev Team
Scanned for Vulnerabilities lately?   

Contact us & see how we can help. 

* These fields are required.