{ "document": { "aggregate_severity": { "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" }, { "category": "details", "text": "* SECURITY UPDATE: Misc vulnerability fixes\n - CVE-2019-12418, CVE-2019-17563, CVE-2020-1935,\n CVE-2020-11996, CVE-2020-13934, CVE-2020-13935,\n CVE-2020-13943, CVE-2020-17527, CVE-2021-24122,\n CVE-2021-30639, CVE-2021-30640, CVE-2021-33037,\n CVE-2021-42340, CVE-2021-43980, CVE-2022-25762,\n CVE-2022-34305, CVE-2022-45143, CVE-2023-24998,\n CVE-2023-28709, CVE-2023-34981, CVE-2023-42794,\n CVE-2024-21733\n * Update to 8.5.100\n - debian/rules,\n debian/libtomcat8-java.poms,\n debian/maven.rules,\n debian/tomcat8-common.links,\n debian/patches/0018-fix-manager-webapp.patch,\n debian/patches/0019-add-distribution-to-error-page.patch,\n debian/patches/0021-dont-test-unsupported-ciphers.patch,\n debian/patches/0101-skipping-tests-incompatible-with-firewall.patch:\n updated\n - debian/patches/0002-do-not-load-AJP13-connector-by-default.patch,\n debian/patches/0026-easymock4-compatibility.patch:\n removed as they were applied in upstream\n - CVE-2019-0221.patch, CVE-2019-10072-1.patch,\n CVE-2019-10072-2.patch, CVE-2022-42252.patch,\n CVE-2020-1938.patch, CVE-2021-25122.patch,\n CVE-2021-41079.patch, CVE-2022-29885.patch,\n CVE-2020-9484.patch, CVE-2021-25329-pre1.patch,\n CVE-2021-25329.patch, CVE-2022-23181.patch,\n CVE-2023-44487.patch, CVE-2023-46589-pre1.patch,\n CVE-2023-46589-pre2.patch, CVE-2023-46589-pre3.patch,\n CVE-2023-46589-pre4.patch, CVE-2023-46589.patch:\n removed because these CVEs were fixed in upstream\n * Internal tests\n - debian/test_certs/*: updated from upstream branch 9.0.x, as the\n 8.0.x certs were expired", "title": "Details" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu18.04els/advisories/2025/clsa-2025_1748282295.json" }, { "category": "self", "summary": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748282295", "url": "https://cve.tuxcare.com/els/releases/CLSA-2025:1748282295" } ], "tracking": { "current_release_date": "2025-05-27T13:46:46Z", "generator": { "date": "2025-05-27T13:46:46Z", "engine": { "name": "pyCSAF" } }, "id": "CLSA-2025:1748282295", "initial_release_date": "2025-05-26T17:58:18Z", "revision_history": [ { "date": "2025-05-26T17:58:18Z", "number": "1", "summary": "Initial version" }, { "date": "2025-05-27T13:46:46Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Fix of 34 CVEs" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 18.04", "product": { "name": "Ubuntu 18.04", "product_id": "Ubuntu-18", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tomcat8-examples@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tomcat8-common@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tomcat8-user@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libtomcat8-embed-java@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tomcat8-docs@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tomcat8-admin@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/tomcat8@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product": { "name": "libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_id": "libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/libtomcat8-java@8.5.100-1ubuntu1~18.04.1%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" }, { "category": "default_component_of", "full_product_name": { "name": "libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all as a component of Ubuntu 18.04", "product_id": "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" }, "product_reference": "libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-18" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-28709", "cwe": { "id": "CWE-193", "name": "Off-by-one Error" }, "notes": [ { "category": "description", "text": "The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7, 9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-28709" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2023/05/22/1", "url": "http://www.openwall.com/lists/oss-security/2023/05/22/1" }, { "category": "external", "summary": "https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j", "url": "https://lists.apache.org/thread/7wvxonzwb7k9hx9jt3q33cmy7j97jo3j" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202305-37", "url": "https://security.gentoo.org/glsa/202305-37" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20230616-0004/", "url": "https://security.netapp.com/advisory/ntap-20230616-0004/" }, { "category": "external", "summary": "https://www.debian.org/security/2023/dsa-5521", "url": "https://www.debian.org/security/2023/dsa-5521" } ], "release_date": "2023-05-22T11:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2021-30639", "cwe": { "id": "CWE-755", "name": "Improper Handling of Exceptional Conditions" }, "notes": [ { "category": "description", "text": "A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2021-30639" }, { "category": "external", "summary": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10366" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r79a7c019712b39aedf7cf4da9276d80610f04441b2a4f6506cb2daaf%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/rd84fae1f474597bdf358f5bdc0a5c453c507bd527b83e8be6b5ea3f4%40%3Cannounce.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202208-34", "url": "https://security.gentoo.org/glsa/202208-34" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20210827-0007/", "url": "https://security.netapp.com/advisory/ntap-20210827-0007/" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2022.html", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" } ], "release_date": "2021-07-12T15:15:00", "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK_ACCESSIBLE", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2020-13934", "cwe": { "id": "CWE-401", "name": "Missing Release of Memory after Effective Lifetime" }, "notes": [ { "category": "description", "text": "An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-13934" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r61f411cf82488d6ec213063fc15feeeb88e31b0ca9c29652ee4f962e%40%3Cannounce.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/ra072b1f786e7d139e86f1d1145572e0ff71cef38a96d9c6f5362aac8%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200724-0003/", "url": "https://security.netapp.com/advisory/ntap-20200724-0003/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4596-1/", "url": "https://usn.ubuntu.com/4596-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4727", "url": "https://www.debian.org/security/2020/dsa-4727" }, { "category": "external", "summary": "https://www.oracle.com//security-alerts/cpujul2021.html", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuApr2021.html", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2021.html", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2022.html", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2020.html", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "release_date": "2020-07-14T15:15:00", "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK_ACCESSIBLE", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2020-1935", "cwe": { "id": "CWE-444", "name": "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')" }, "notes": [ { "category": "description", "text": "In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-1935" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E", "url": "https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78%40%3Ccommits.tomee.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E", "url": "https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743%40%3Ccommits.tomee.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200327-0005/", "url": "https://security.netapp.com/advisory/ntap-20200327-0005/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4448-1/", "url": "https://usn.ubuntu.com/4448-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4673", "url": "https://www.debian.org/security/2020/dsa-4673" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4680", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2021.html", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujul2020.html", "url": "https://www.oracle.com/security-alerts/cpujul2020.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2020.html", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "release_date": "2020-02-24T22:15:00", "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK_ACCESSIBLE", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "Medium" } ] }, { "cve": "CVE-2019-12418", "notes": [ { "category": "description", "text": "When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-12418" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html", "url": "https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html", "url": "https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html" }, { "category": "external", "summary": "https://seclists.org/bugtraq/2019/Dec/43", "url": "https://seclists.org/bugtraq/2019/Dec/43" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202003-43", "url": "https://security.gentoo.org/glsa/202003-43" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200107-0001/", "url": "https://security.netapp.com/advisory/ntap-20200107-0001/" }, { "category": "external", "summary": "https://support.f5.com/csp/article/K10107360?utm_source=f5support&%3Butm_medium=RSS", "url": "https://support.f5.com/csp/article/K10107360?utm_source=f5support&%3Butm_medium=RSS" }, { "category": "external", "summary": "https://usn.ubuntu.com/4251-1/", "url": "https://usn.ubuntu.com/4251-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2019/dsa-4596", "url": "https://www.debian.org/security/2019/dsa-4596" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4680", "url": "https://www.debian.org/security/2020/dsa-4680" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuapr2020.html", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" } ], "release_date": "2019-12-23T18:15:00", "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "LOCAL_ACCESS", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2021-43980", "cwe": { "id": "CWE-362", "name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')" }, "notes": [ { "category": "description", "text": "The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2021-43980" }, { "category": "external", "summary": "http://www.openwall.com/lists/oss-security/2022/09/28/1", "url": "http://www.openwall.com/lists/oss-security/2022/09/28/1" }, { "category": "external", "summary": "https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3", "url": "https://lists.apache.org/thread/3jjqbsp6j88b198x5rmg99b1qr8ht3g3" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html", "url": "https://lists.debian.org/debian-lts-announce/2022/10/msg00029.html" }, { "category": "external", "summary": "https://www.debian.org/security/2022/dsa-5265", "url": "https://www.debian.org/security/2022/dsa-5265" } ], "release_date": "2022-09-28T14:15:00", "scores": [ { "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "Low" } ] }, { "cve": "CVE-2022-25762", "cwe": { "id": "CWE-404", "name": "Improper Resource Shutdown or Release" }, "notes": [ { "category": "description", "text": "If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2022-25762" }, { "category": "external", "summary": "https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c", "url": "https://lists.apache.org/thread/6ckmjfb1k61dyzkto9vm2k5jvt4o7w7c" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20220629-0003/", "url": "https://security.netapp.com/advisory/ntap-20220629-0003/" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujul2022.html", "url": "https://www.oracle.com/security-alerts/cpujul2022.html" } ], "release_date": "2022-05-13T08:15:00", "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK_ACCESSIBLE", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2019-0232", "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "notes": [ { "category": "description", "text": "When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-0232" }, { "category": "external", "summary": "http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html", "url": "http://packetstormsecurity.com/files/153506/Apache-Tomcat-CGIServlet-enableCmdLineArguments-Remote-Code-Execution.html" }, { "category": "external", "summary": "http://seclists.org/fulldisclosure/2019/May/4", "url": "http://seclists.org/fulldisclosure/2019/May/4" }, { "category": "external", "summary": "http://www.securityfocus.com/bid/107906", "url": "http://www.securityfocus.com/bid/107906" }, { "category": "external", "summary": "https://access.redhat.com/errata/RHSA-2019:1712", "url": "https://access.redhat.com/errata/RHSA-2019:1712" }, { "category": "external", "summary": "https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-cve-2019-0232-a-remote-code-execution-vulnerability-in-apache-tomcat/" }, { "category": "external", "summary": "https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html", "url": "https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/52ffb9fbf661245386a83a661183d13f1de2e5779fa23837a08e02ac%40%3Ccommits.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/5f297a4b9080b5f65a05bc139596d0e437d6a539b25e31d29d028767%40%3Cannounce.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/673b6148d92cd7bc99ea2dcf85ad75d57da44fc322d51f37fb529a2a%40%3Ccommits.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/96849486813a95dfd542e1618b7923ca945508aaf4a4341f674d83e3%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/a6c87a09a71162fd563ab1c4e70a08a103e0b7c199fc391f1c9c4c35%40%3Ccommits.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/dd4b325cdb261183dbf5ce913c102920a8f09c26dae666a98309165b%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/f4d48b32ef2b6aa49c8830241a9475da5b46e451f964b291c7a0a715%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E", "url": "https://lists.apache.org/thread.html/r6d03e45b81eab03580cf7f8bb51cb3e9a1b10a2cc0c6a2d3cc92ed0c%40%3Cannounce.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20190419-0001/", "url": "https://security.netapp.com/advisory/ntap-20190419-0001/" }, { "category": "external", "summary": "https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/", "url": "https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/" }, { "category": "external", "summary": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784", "url": "https://www.broadcom.com/support/fibre-channel-networking/security-advisories/brocade-security-advisory-2019-784" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuApr2021.html", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuapr2020.html", "url": "https://www.oracle.com/security-alerts/cpuapr2020.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2020.html", "url": "https://www.oracle.com/security-alerts/cpujan2020.html" }, { "category": "external", "summary": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" }, { "category": "external", "summary": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" }, { "category": "external", "summary": "https://www.synology.com/security/advisory/Synology_SA_19_17", "url": "https://www.synology.com/security/advisory/Synology_SA_19_17" }, { "category": "external", "summary": "https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/", "url": "https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/" } ], "release_date": "2019-04-15T15:29:00", "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK_ACCESSIBLE", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2020-11996", "notes": [ { "category": "description", "text": "A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-11996" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00064.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00064.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00072.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00072.html" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r2529016c311ce9485e6f173446d469600fdfbb94dccadfcd9dfdac79%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r2529016c311ce9485e6f173446d469600fdfbb94dccadfcd9dfdac79%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r3ea96d8f36dd404acce83df8aeb22a9e807d6c13ca9c5dec72f872cd%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r3ea96d8f36dd404acce83df8aeb22a9e807d6c13ca9c5dec72f872cd%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r5541ef6b6b68b49f76fc4c45695940116da2bcbe0312ef204a00a2e0%40%3Cannounce.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r5a4f80a6acc6607d61dae424b643b594c6188dd4e1eff04705c10db2%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r5a4f80a6acc6607d61dae424b643b594c6188dd4e1eff04705c10db2%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r6c29801370a36c1a5159679269777ad0c73276d3015b8bbefea66e5c%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r6c29801370a36c1a5159679269777ad0c73276d3015b8bbefea66e5c%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r74f5a8204efe574cbfcd95b2a16236fe95beb45c4d9fee3dc789dca9%40%3Ccommits.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r74f5a8204efe574cbfcd95b2a16236fe95beb45c4d9fee3dc789dca9%40%3Ccommits.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r8f3d416c193bc9384a8a7dd368623d441f5fcaff1057115008100561%40%3Ccommits.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r8f3d416c193bc9384a8a7dd368623d441f5fcaff1057115008100561%40%3Ccommits.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r8f7484589454638af527182ae55ef5b628ba00c05c5b11887c922fb1%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r93ca628ef3a4530dfe5ac49fddc795f0920a4b2a408b57a30926a42b%40%3Ccommits.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r93ca628ef3a4530dfe5ac49fddc795f0920a4b2a408b57a30926a42b%40%3Ccommits.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r9ad911fe49450ed9405827af0e7a74104041081ff91864b1f2546bbd%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/r9ad911fe49450ed9405827af0e7a74104041081ff91864b1f2546bbd%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/ra7092f7492569b39b04ec0decf52628ba86c51f15efb38f5853e2760%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rb4ee49ecc4c59620ffd5e66e84a17e526c2c3cfa95d0cd682d90d338%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/rb4ee49ecc4c59620ffd5e66e84a17e526c2c3cfa95d0cd682d90d338%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rb820f1a2a02bf07414be12c653c2ab5321fd87b9bf6c5e635c53ff4b%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/rb820f1a2a02bf07414be12c653c2ab5321fd87b9bf6c5e635c53ff4b%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rc80b96b4b96618b2b7461cb90664a428cfd6605eea9f74e51b792542%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/rc80b96b4b96618b2b7461cb90664a428cfd6605eea9f74e51b792542%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rea65d6ef2e45dd1c45faae83922042732866c7b88fa109b76c83db52%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/rea65d6ef2e45dd1c45faae83922042732866c7b88fa109b76c83db52%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/ref0339792ac6dac1dba83c071a727ad72380899bde60f6aaad4031b9%40%3Cnotifications.ofbiz.apache.org%3E", "url": "https://lists.apache.org/thread.html/ref0339792ac6dac1dba83c071a727ad72380899bde60f6aaad4031b9%40%3Cnotifications.ofbiz.apache.org%3E" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200709-0002/", "url": "https://security.netapp.com/advisory/ntap-20200709-0002/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4596-1/", "url": "https://usn.ubuntu.com/4596-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4727", "url": "https://www.debian.org/security/2020/dsa-4727" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2021.html", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2020.html", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" } ], "release_date": "2020-06-26T17:15:00", "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK_ACCESSIBLE", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] }, { "cve": "CVE-2020-13935", "cwe": { "id": "CWE-835", "name": "Loop with Unreachable Exit Condition ('Infinite Loop')" }, "notes": [ { "category": "description", "text": "The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-13935" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00084.html" }, { "category": "external", "summary": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00088.html" }, { "category": "external", "summary": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332", "url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10332" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/r4e5d3c09f4dd2923191e972408b40fb8b42dbff0bc7904d44b651e50%40%3Cusers.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E", "url": "https://lists.apache.org/thread.html/rd48c72bd3255bda87564d4da3791517c074d94f8a701f93b85752651%40%3Cannounce.tomcat.apache.org%3E" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html", "url": "https://lists.debian.org/debian-lts-announce/2020/07/msg00017.html" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20200724-0003/", "url": "https://security.netapp.com/advisory/ntap-20200724-0003/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4448-1/", "url": "https://usn.ubuntu.com/4448-1/" }, { "category": "external", "summary": "https://usn.ubuntu.com/4596-1/", "url": "https://usn.ubuntu.com/4596-1/" }, { "category": "external", "summary": "https://www.debian.org/security/2020/dsa-4727", "url": "https://www.debian.org/security/2020/dsa-4727" }, { "category": "external", "summary": "https://www.oracle.com//security-alerts/cpujul2021.html", "url": "https://www.oracle.com//security-alerts/cpujul2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuApr2021.html", "url": "https://www.oracle.com/security-alerts/cpuApr2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuapr2022.html", "url": "https://www.oracle.com/security-alerts/cpuapr2022.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2021.html", "url": "https://www.oracle.com/security-alerts/cpujan2021.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpujan2022.html", "url": "https://www.oracle.com/security-alerts/cpujan2022.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2020.html", "url": "https://www.oracle.com/security-alerts/cpuoct2020.html" }, { "category": "external", "summary": "https://www.oracle.com/security-alerts/cpuoct2021.html", "url": "https://www.oracle.com/security-alerts/cpuoct2021.html" } ], "release_date": "2020-07-14T15:15:00", "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK_ACCESSIBLE", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" }, "products": [ "Ubuntu-18:tomcat8-examples-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-common-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-user-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-embed-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-docs-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-admin-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:tomcat8-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all", "Ubuntu-18:libtomcat8-java-0:8.5.100-1ubuntu1~18.04.1+tuxcare.els1.all" ] } ], "threats": [ { "category": "impact", "details": "High" } ] } ] }