Vulnerable Library - spring-boot-starter-web-2.1.4.RELEASE.jar
Starter for building web, including RESTful, applications using Spring
MVC. Uses Tomcat as the default embedded container
Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-starter-web/2.1.4.RELEASE/spring-boot-starter-web-2.1.4.RELEASE.jar
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (7 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
CVE-2026-43512
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.4.RELEASE.jar
- ❌ tomcat-embed-core-9.0.17.jar (Vulnerable Library)
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Publish Date: 2026-05-12
URL: CVE-2026-43512
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.139%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.118
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2026-41293
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.4.RELEASE.jar
- ❌ tomcat-embed-core-9.0.17.jar (Vulnerable Library)
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Publish Date: 2026-05-12
URL: CVE-2026-41293
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.253%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.118
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-31651
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.4.RELEASE.jar
- ❌ tomcat-embed-core-9.0.17.jar (Vulnerable Library)
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-04-28
URL: CVE-2025-31651
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.199%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3
Release Date: 2025-04-28
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.104
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2025-24813
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.4.RELEASE.jar
- ❌ tomcat-embed-core-9.0.17.jar (Vulnerable Library)
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-10
URL: CVE-2025-24813
Threat Assessment
Exploit Maturity: Functional
EPSS: 94.13%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Release Date: 2025-03-10
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.99
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-56337
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.4.RELEASE.jar
- ❌ tomcat-embed-core-9.0.17.jar (Vulnerable Library)
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:
- running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true)
- running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false)
- running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed)
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-20
URL: CVE-2024-56337
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 13.16%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.98
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-52316
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.4.RELEASE.jar
- ❌ tomcat-embed-core-9.0.17.jar (Vulnerable Library)
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-11-18
URL: CVE-2024-52316
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.487%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-50379
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
- spring-boot-starter-web-2.1.4.RELEASE.jar (Root Library)
- spring-boot-starter-tomcat-2.1.4.RELEASE.jar
- ❌ tomcat-embed-core-9.0.17.jar (Vulnerable Library)
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-17
URL: CVE-2024-50379
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 84.776%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.98
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Starter for building web, including RESTful, applications using Spring MVC. Uses Tomcat as the default embedded container
Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot-starters/spring-boot-starter-web
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot-starter-web/2.1.4.RELEASE/spring-boot-starter-web-2.1.4.RELEASE.jar
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Publish Date: 2026-05-12
URL: CVE-2026-43512
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.139%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.118
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Publish Date: 2026-05-12
URL: CVE-2026-41293
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.253%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2026-05-12
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.118
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible
for a specially crafted request to bypass some rewrite rules. If those
rewrite rules effectively enforced security constraints, those
constraints could be bypassed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-04-28
URL: CVE-2025-31651
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.199%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2025/04/28/3
Release Date: 2025-04-28
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.104
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT
If all of the following were true, a malicious user was able to perform remote code execution:
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack
Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2025-03-10
URL: CVE-2025-24813
Threat Assessment
Exploit Maturity: Functional
EPSS: 94.13%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2025-24813
Release Date: 2025-03-10
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.99
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions
may also be affected.
The mitigation for CVE-2024-50379 was incomplete.
Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation
parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat:
Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-20
URL: CVE-2024-56337
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 13.16%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.98
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-11-18
URL: CVE-2024-52316
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 2.487%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-11-18
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.96
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - tomcat-embed-core-9.0.17.jar
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /nexmo-spring-boot-test-application/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/9.0.17/tomcat-embed-core-9.0.17.jar
Dependency Hierarchy:
Found in HEAD commit: 3c697156679612e93e2a8f1c4982c052a930d7d1
Found in base branch: main
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.
The following versions were EOL at the time the CVE was created but are
known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected.
Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-12-17
URL: CVE-2024-50379
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 84.776%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://tomcat.apache.org/security-11.html
Release Date: 2024-12-17
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.98
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.