Table of Contents
Apache Tomcat 10.x vulnerabilities
This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 10.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.
Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 10.0.x alpha those are
Both files can be found in the
of a binary distribution. You may also want to review the
page in the documentation.
If you need help on building or configuring Tomcat or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Tomcat Users mailing list
If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Tomcat Security Team. Thank you.
11 May 2020 Fixed in Apache Tomcat 10.0.0-M5
High: Remote Code Execution via session persistence CVE-2020-9484
- an attacker is able to control the contents and name of a file on the server; and
- the server is configured to use the
PersistenceManageris configured with
sessionAttributeValueClassNameFilter="null"(the default unless a
SecurityManageris used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and
- the attacker knows the relative file path from the storage location
FileStoreto the file the attacker has control over;
then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
Note: All of conditions above must be true for the attack to succeed.
As an alternative to upgrading to 10.0.0-M5 or later, users may configure
PersistenceManager with an appropriate value for
sessionAttributeValueClassNameFilter to ensure that only
application provided attributes are serialized and deserialized.
This was fixed with commit bb33048e.
This issue was reported to the Apache Tomcat Security Team by by jarvis threedr3am of pdd security research on 12 April 2020. The issue was made public on 20 May 2020.
Affects: 10.0.0-M1 to 10.0.0-M4