—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Apache Tomcat

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

affected from 11.0.0-M14 to 11.0.20

affected from 10.1.22 to 10.1.53

affected from 9.0.92 to 9.0.116

affected from 11.0.0-M1 to 11.0.20

affected from 10.1.0-M1 to 10.1.53

affected from 9.0.13 to 9.0.116

affected from 9.0.40 to 9.0.116

affected from 8.5.84 to 8.5.100

affected at 11.0.20

affected at 10.1.53

affected at 9.0.116

Overview

Multiple vulnerabilities have been reported in Apache Tomcat, which could allow an attacker to bypass security restriction and access sensitive information on the targeted system.

Target Audience:

All end-user organizations and individuals responsible for maintaining and updating Apache Tomcat.

Risk Assessment:

High risk of authentication bypass, unauthorized access to sensitive data.

Impact Assessment:

Potential for sensitive information disclosure, system compromise.

Description

Apache Tomcat is an open-source web server and servlet container that runs Java-based web applications.

Multiple vulnerabilities have been identified in Apache Tomcat due to improper authentication handling, insertion of sensitive information into log files, missing encryption of sensitive data, and improper encoding or escaping of output in the JsonAccessLogValve component.

Successful exploitation of these vulnerabilities could allow an attacker to bypass security restriction and access sensitive information on the targeted system.

Solution

Apply appropriate fixes as mentioned in the Apache Tomcat Security Updates:

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.21

Vendor Information

Apache Tomcat

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.21

References

Apache Tomcat

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.21

CVE Name

CVE-2026-34500

CVE-2026-34487

CVE-2026-34486

CVE-2026-34483

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmng9+sACgkQ3jCgcSdc

ys9D7w//eU5bEqiHgqSPCEiHQY0Vop3KaoZLrGvy0RSN2mMZsLjJDfxZOQZkZRA7

jAkwke6nyo+pLC7lKDLR5lu0EE+3evf+XsLxoOArKzSkhjJQ/1+wwnFtwwDo1CjA

b0UgpsN+18YFoQBiJd0tf5JC0Cp+/asEdmxS5OFs57C+mTYVSzPWSqU3F4+Wk9ab

5hfRkTtW9AtxGNub25z9JP1dIBYtaQ5n8OQMcjwx0SsfqZYO941FJxbSp0kG594r

eul6MglS+Ap6DqFF+BIavHkwU67Rex8ITXgIBHIu1ktJyEuMFyNdvK54PcPDlAtN

Re/ZbMejOIm/Cy3kr3mqdvVL4JOBoa8yyDZKhZEhjBnK8qg1xol3d3N8pnZD/uPl

7xe45FfsDGja27hvRz2qXDM0e/dZOq+75LVNYLAO04sIa280qk6GG7giaqBeM548

n5eIM+/m6OVp/wh1X3qHSg2qVsbRrHWtSv2lp3lsw6PeMyZRM6IMCoBPGP3b88GL

KPaagvZ8d2axtk25xsyyg6jTMHQYJrjRZ0FLe5V1ErqdyOwA6MGacRznpqbwhm4x

W4A0FTSHkmqDhAcNsKhREt/xfQesZzOczHePfiOIzbeui+nv2nX/EFBgDXqCkvMI

txEkM2XdRrF+mwvwm++15D1Jvo2cOpHOzplJ1vOp9BPa9svQ/2g=

=rvZi

—–END PGP SIGNATURE—–