Vulnerabilities associated with org.apache.tomcat:tomcat-dbcp:9.0.8

BDSA-2019-1146 (CRITICAL): An improper input validation vulnerability has been discovered in Apache Tomcat. An attacker could exploit this vulnerability through the command line to execute arbitrary code against the target system.

This vulnerability affects only Windows operating systems.

BDSA-2023-2732 (HIGH): The HTTP/2 protocol contains a flaw related to the stream multiplexing feature that can allow for excessive resource consumption on servers operating implementations of the HTTP/2 protocol.

The HTTP/2 protocol allows clients to signal to a server to cancel a previously opened stream by sending an RST_STREAM frame. Attackers can abuse this stream canceling ability by opening a large number of streams at once immediately followed by RST_STREAM frames. In most HTTP/2 implementations this bypasses concurrent open stream limits and causes servers to spend processing time first handling request frames and then performing stream tear downs. For the server, these operations can pile up whereas the attacker client paid minuscule bandwidth and processing costs.

Amazon, Cloudflare and Google have reported that this vulnerability has been exploited in the wild from August to October 2023.

This vulnerability is listed as exploitable by the Cybersecurity & Infrastructure Security Agency in their Known Exploited Vulnerabilities Catalog.

BDSA-2023-3298 (HIGH): Apache Tomcat is vulnerable to HTTP request smuggling when used behind a reverse proxy. This allows a remote attacker to append additional HTTP request onto valid HTTP requests and can be used to bypass validation, access restricted data, or perform actions on behalf of another user or group.

BDSA-2019-4037 (HIGH): Apache Tomcat is vulnerable to session fixation due to improper handling of FORM authentication. This could allow an attacker to hijack the sessions of other users.

BDSA-2020-0339 (HIGH): Apache Tomcat is vulnerable to information disclosure due to Apache JServ Protocol (AJP) connections being given higher privileges than that of an equivalent HTTP client connection. An attacker who is able to reach the Tomcat AJP connector could return arbitrary files from the target web application which may contain sensitive information.

This vulnerability does not allow remote code execution by default.

This vulnerability is listed as exploitable by the Cybersecurity & Infrastructure Security Agency in their Known Exploited Vulnerabilities Catalog.

BDSA-2020-1193 (HIGH): Apache Tomcat is vulnerable to remote code execution (RCE) due to the improper validation of a file storage location. A remote authenticated attacker could execute arbitrary code on a vulnerable server by sending crafted requests to that server.

BDSA-2021-0711 (HIGH): Apache Tomcat is vulnerable to remote code execution (RCE) due to the improper validation of a file storage location. A remote authenticated attacker could execute arbitrary code on a vulnerable server by sending crafted requests to that server.

Note: This vulnerability was originally assigned CVE-2020-9484 (BDSA-2020-1193), however it was not completely fixed, and the vendor has stated it is still exploitable using a highly unlikely configuration edge case.

BDSA-2019-1661 (HIGH): Apache Tomcat is vulnerable to reflected cross-site scripting (XSS) due to improper validation of user-supplied input in server-side includes (SSI) commands. This could allow an attacker to inject arbitrary web scripts and steal sensitive information such as authentication tokens or user cookies.

BDSA-2018-1521 (HIGH): Apache Tomcat contains a default configuration vulnerability where the cross-origin resource sharing (CORS) filter is insecure. The setting has supportsCredentials enabled by default. An attacker could exploit this to bypass this security restriction and could result in cross-origin attacks.

BDSA-2022-1335 (HIGH): Apache Tomcat does not properly handle cases when a web application sends a WebSocket message concurrently with the WebSocket connection closing - the application will continue to use the socket after it has been closed. Due to the way connection-related objects are managed, this could result in subsequent connections using the same object concurrently, resulting in data being returned to the wrong use and/or other errors.

BDSA-2024-0129 (HIGH): Apache Tomcat is vulnerable to an information disclosure issue due to how error responses can contain data from previous HTTP requests.

An attacker could submit an incomplete POST request in order to trigger this flawed error response which could bypass controls and leak potentially sensitive information from requests made by other users.

BDSA-2024-0396 (HIGH): Apache Tomcat running on openSUSE Linux is vulnerable to privilege escalation due to improper permission handling in the Tomcat package. A local attacker that has access to the tomcat user or group could escalate their privileges to root user by running a payload on the target that wins a race condition with post-install section "%post" of the package.

Note: Only the openSUSE Apache Tomcat package is affected. Apache Tomcat installed on other platforms, or through other means is unaffected.

BDSA-2024-9762 (HIGH): Apache Tomcat is vulnerable to a remote code execution (RCE) issue due to how file case sensitivity checks can be bypassed in cases where the default servlet is write enabled on a case insensitive file system, and a concurrent read and upload of the same file occurs when Tomcat is under load.

As a result of the bypass, it can be possible for an uploaded file to be treated as a JSP file. This means that during JSP compilation, it is possible for malicious code to be executed on the server.

Note 1:: The default servlet is not write enabled by default. This requires the read-only initialization parameter to be set to the non-default value of false.

Note 2: This issue originally received an incomplete fix due to missing mitigation steps to fully address the issue. CVE-2024-56337 (BDSA-2024-9919) has been released to fully detail how to address this.

BDSA-2024-9919 (HIGH): Apache Tomcat is vulnerable to a remote code execution (RCE) issue due to how file case sensitivity checks can be bypassed in cases where the default servlet is write enabled on a case insensitive file system, and a concurrent read and upload of the same file occurs when Tomcat is under load.

As a result of the bypass, it can be possible for an uploaded file to be treated as a JSP file. This means that during JSP compilation, it is possible for malicious code to be executed on the server.

Note 1:: The default servlet is not write enabled by default. This requires the read-only initialization parameter to be set to the non-default value of false.

Note 2: This issue exists due to an incomplete fix for CVE-2024-50379 (BDSA-2024-9762). Additional steps to address this issue depend on the Java version used. Guidance on this has been provided by the vendor and is available in the solution.

BDSA-2025-1980 (HIGH): Apache Tomcat is vulnerable to remote code execution (RCE), information disclosure, or corruption of information via a write-enabled Default Servlet. The impact of exploitation depends on the following:

If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
• attacker knowledge of the names of security sensitive files being uploaded
• the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to perform remote code execution:

• writes enabled for the default servlet (disabled by default)
• support for partial PUT (enabled by default)
• application was using Tomcat's file based session persistence with the default storage location
• application included a library that may be leveraged in a deserialization attack

CVE-2020-8022 (HIGH): A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.

Click Here To See More Details On Server