1. Home
  2. Security Advisories
  3. Maven
  4. MAVEN:GHSA-JC7P-5R39-9477

[MAVEN:GHSA-JC7P-5R39-9477] Improper Input Validation in Apache Tomcat

Severity High
Affected Packages 5
Fixed Packages 5
CVEs 1
Info Packages References Vulnerabilities

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

Package Affected Version
pkg:maven/org.apache.tomcat/tomcat-coyote >= 6.0.0, < 6.0.48
pkg:maven/org.apache.tomcat/tomcat-coyote >= 7.0.0, < 7.0.73
pkg:maven/org.apache.tomcat/tomcat-coyote >= 8.0.0RC1, < 8.0.39
pkg:maven/org.apache.tomcat/tomcat-coyote >= 8.5.0, < 8.5.8
pkg:maven/org.apache.tomcat/tomcat-coyote >= 9.0.0.M1, <= 9.0.0.M11
Package Fixed Version
pkg:maven/org.apache.tomcat/tomcat-coyote = 6.0.48
pkg:maven/org.apache.tomcat/tomcat-coyote = 7.0.73
pkg:maven/org.apache.tomcat/tomcat-coyote = 8.0.39
pkg:maven/org.apache.tomcat/tomcat-coyote = 8.5.8
pkg:maven/org.apache.tomcat/tomcat-coyote = 9.0.0.M12
ID
MAVEN:GHSA-JC7P-5R39-9477
Severity
high
URL
https://github.com/advisories/GHSA-jc7p-5r39-9477
Published
2022-05-13T01:14:53
(2 years ago)
Modified
2023-12-08T19:56:02
(9 months ago)
Rights
Maven Security Team
Other Advisories
Source # ID Name URL
https://nvd.nist.gov/vuln/detail/CVE-2016-6816
https://access.redhat.com/errata/RHSA-2017:0455
https://access.redhat.com/errata/RHSA-2017:0456
https://access.redhat.com/errata/RHSA-2017:0935
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
https://security.netapp.com/advisory/ntap-20180607-0001/
https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M13
https://usn.ubuntu.com/4557-1/
https://www.exploit-db.com/exploits/41783/
http://rhn.redhat.com/errata/RHSA-2017-0244.html
http://rhn.redhat.com/errata/RHSA-2017-0245.html
http://rhn.redhat.com/errata/RHSA-2017-0246.html
http://rhn.redhat.com/errata/RHSA-2017-0247.html
http://rhn.redhat.com/errata/RHSA-2017-0250.html
http://rhn.redhat.com/errata/RHSA-2017-0457.html
http://rhn.redhat.com/errata/RHSA-2017-0527.html
http://www.debian.org/security/2016/dsa-3738
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://svn.apache.org/viewvc?view=revision&revision=1767641
https://svn.apache.org/viewvc?view=revision&revision=1767645
https://svn.apache.org/viewvc?view=revision&revision=1767653
https://svn.apache.org/viewvc?view=revision&revision=1767675
https://svn.apache.org/viewvc?view=revision&revision=1767683
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://web.archive.org/web/20161204121236/http://www.securityfocus.com/bid/94461
https://web.archive.org/web/20170929085438/http://www.securitytracker.com/id/1037332
https://github.com/advisories/GHSA-jc7p-5r39-9477
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote >= 6.0.0 < 6.0.48
Fixed pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote = 6.0.48
Affected pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote >= 7.0.0 < 7.0.73
Fixed pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote = 7.0.73
Affected pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote >= 8.0.0RC1 < 8.0.39
Fixed pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote = 8.0.39
Affected pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote >= 8.5.0 < 8.5.8
Fixed pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote = 8.5.8
Affected pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote >= 9.0.0.M1 <= 9.0.0.M11
Fixed pkg:maven/org.apache.tomcat/tomcat-coyote org.apache.tomcat tomcat-coyote = 9.0.0.M12
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date