This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat 11.x. Each vulnerability is given a
security impact rating by the Apache
Tomcat security team — please note that this rating may vary from
platform to platform. We also list the versions of Apache Tomcat the flaw
is known to affect, and where a flaw has not been verified list the
version with a question mark.
Note: Vulnerabilities that are not Tomcat vulnerabilities
but have either been incorrectly reported against Tomcat or where Tomcat
provides a workaround are listed at the end of this page.
Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 11.0.x those are
building.html and
BUILDING.txt.
Both files can be found in the webapps/docs subdirectory
of a binary distribution. You may also want to review the
Security Considerations
page in the documentation.
If you need help on building or configuring Tomcat or other help on
following the instructions to mitigate the known vulnerabilities listed
here, please send your questions to the public
Tomcat Users mailing list
If you have encountered an unlisted security vulnerability or other
unexpected behaviour that has security
impact, or if the descriptions here are incomplete,
please report them privately to the
Tomcat Security Team. Thank you.
Moderate: Apache Tomcat denial of service
CVE-2023-28709
The fix for CVE-2023-24998 was incomplete. If non-default HTTP
connector settings were used such that the maxParameterCount
could be reached using query string parameters and a request was
submitted that supplied exactly maxParameterCount parameters
in the query string, the limit for uploaded request parts could be
bypassed with the potential for a denial of service to occur.
This was fixed with commit
d53d8e7f.
This issue was reported to the Tomcat Security Team on 13 March 2023. The
issue was made public on 22 May 2023.
Affects: 11.0.0-M2 to 11.0.0-M4
Important: Apache Tomcat information disclosure
CVE-2023-28708
When using the RemoteIpFilter with requests received from a
reverse proxy via HTTP that include the X-Forwarded-Proto
header set to https, session cookies created by Tomcat did not
include the secure attribute. This could result in the user agent
transmitting the session cookie over an insecure channel.
This was fixed with commit
c64d496d.
66471 was reported publicly on 8 February 2023. The security
implications were identified by the Tomcat Security team on 9 February
2023. The issue was made public on 22 March 2023.
Affects: 11.0.0-M1 to 11.0.0-M2
Note: The issue below was fixed in Apache Tomcat 11.0.0-M2 but the
release vote for the 11.0.0-M2 release candidate did not pass. Therefore,
although users must download 11.0.0-M3 to obtain a version that includes
a fix for these issues, version 11.0.0-M2 is not included in the list of
affected versions.
Important: Apache Tomcat denial of service
CVE-2023-24998
Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload
to provide the file upload functionality defined in the Jakarta Servlet
specification. Apache Tomcat was, therefore, also vulnerable to the
Apache Commons FileUpload vulnerability CVE-2023-24998 as
there was no limit to the number of request parts processed. This
resulted in the possibility of an attacker triggering a DoS with a
malicious upload or series of uploads.
This was fixed with commit
063e2e81.
This issue was reported to the Apache Tomcat Security team on 11
December 2022. The issue was made public on 20 February 2023.
Affects: 11.0.0-M1
