Apache Tomcat 11.x vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 11.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.

Please note that binary patches are never provided. If you need to apply a source code patch, use the building instructions for the Apache Tomcat version that you are using. For Tomcat 11.0.x those are building.html and BUILDING.txt. Both files can be found in the webapps/docs subdirectory of a binary distribution. You may also want to review the Security Considerations page in the documentation.

If you need help on building or configuring Tomcat or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Tomcat Users mailing list

If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Tomcat Security Team. Thank you.

Table of Contents

2023-08-25 Fixed in Apache Tomcat 11.0.0-M11

Moderate: Open redirect CVE-2023-41080

If the ROOT (default) web application is configured to use FORM authentication then it is possible that a specially crafted URL could be used to trigger a redirect to an URL of the attackers choice.

This was fixed with commit e3703c9a.

This issue was reported to the Tomcat Security Team on 17 August 2023. The issue was made public on 22 August 2023.

Affects: 11.0.0-M1 to 11.0.0-M10

2023-05-09 Fixed in Apache Tomcat 11.0.0-M6

Important: Information disclosure CVE-2023-34981

The fix for bug 66512 introduced a regression that was fixed as bug 66591. The regression meant that, if a response did not have any HTTP headers set, no AJP SEND_HEADERS message would be sent which in turn meant that at least one AJP based proxy (mod_proxy_ajp) would use the response headers from the previous request for the current request leading to an information leak.

This was fixed with commit 739c7381.

This issue was reported to the Tomcat Security Team on 24 May 2023. The issue was made public on 21 June 2023.

Affects: 11.0.0-M5

2023-04-19 Fixed in Apache Tomcat 11.0.0-M5

Moderate: Apache Tomcat denial of service CVE-2023-28709

The fix for CVE-2023-24998 was incomplete. If non-default HTTP connector settings were used such that the maxParameterCount could be reached using query string parameters and a request was submitted that supplied exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be bypassed with the potential for a denial of service to occur.

This was fixed with commit d53d8e7f.

This issue was reported to the Tomcat Security Team on 13 March 2023. The issue was made public on 22 May 2023.

Affects: 11.0.0-M2 to 11.0.0-M4

2023-02-23 Fixed in Apache Tomcat 11.0.0-M3

Important: Apache Tomcat information disclosure CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

This was fixed with commit c64d496d.

66471 was reported publicly on 8 February 2023. The security implications were identified by the Tomcat Security team on 9 February 2023. The issue was made public on 22 March 2023.

Affects: 11.0.0-M1 to 11.0.0-M2

Note: The issue below was fixed in Apache Tomcat 11.0.0-M2 but the release vote for the 11.0.0-M2 release candidate did not pass. Therefore, although users must download 11.0.0-M3 to obtain a version that includes a fix for these issues, version 11.0.0-M2 is not included in the list of affected versions.

Important: Apache Tomcat denial of service CVE-2023-24998

Apache Tomcat uses a packaged renamed copy of Apache Commons FileUpload to provide the file upload functionality defined in the Jakarta Servlet specification. Apache Tomcat was, therefore, also vulnerable to the Apache Commons FileUpload vulnerability CVE-2023-24998 as there was no limit to the number of request parts processed. This resulted in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

This was fixed with commit 063e2e81.

This issue was reported to the Apache Tomcat Security team on 11 December 2022. The issue was made public on 20 February 2023.

Affects: 11.0.0-M1