—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

– —–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Multiple Vulnerabilities in Apache Tomcat

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

Apache Tomcat version 11.0.0-M1 to 11.0.21

Apache Tomcat version 10.1.0-M1 to 10.1.54

Apache Tomcat version 9.0.0.M1 to 9.0.117

Apache Tomcat version 8.5.0 to 8.5.100

Apache Tomcat version 7.0.0 to 7.0.109

Apache Tomcat version before 7.0.0\

Apache Tomcat version 9.0.2 to 9.0.117

Apache Tomcat version 10.0.0-M1 to 10.0.27

Overview

Multiple vulnerabilities have been reported in Apache Tomcat, which could allow an attacker to bypass security restrictions, gain unauthorized access, disclose sensitive information, or cause denial-of-service conditions on the targeted system.

Target Audience:

All end-user organizations and individuals responsible for maintaining and updating Apache Tomcat.

Risk Assessment:

High risk of authentication bypass, unauthorized access, sensitive information disclosure, and denial-of-service conditions.

Impact Assessment:

Potential for sensitive information disclosure, bypass security controls or system compromise.

Description

Apache Tomcat is an open-source web server and servlet container that runs Java-based web applications.

Multiple vulnerabilities have been identified in Apache Tomcat due to improper authorization, authentication bypass, improper input validation, observable timing discrepancies, improper handling of case sensitivity, exposure of HTTP authentication headers to unexpected hosts during WebSocket authentication, and allocation of resources without limits or throttling.

Successful exploitation of these vulnerabilities could allow an attacker to bypass security restrictions, gain unauthorized access, disclose sensitive information, conduct denial-of-service attacks, or compromise the confidentiality and integrity of the targeted system.

Solution

Apply appropriate fixes as mentioned in the Apache Tomcat Security Updates:

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.22

Vendor Information

Apache Tomcat

https://tomcat.apache.org

References

Apache Tomcat

https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.22

CVE Name

CVE-2026-43512

CVE-2026-43513

CVE-2026-43514

CVE-2026-43515

CVE-2026-41284

CVE-2026-41293

CVE-2026-42498

– – —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

– —–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoUYHUACgkQ3jCgcSdc

ys+UyQ//dkrIFvXEdHfBXF0lJgl5NzyQyV0Zhk8lnELSD7BxZfZNwtxX/NaYiydx

Gq3CRavCpy1c8ZMKQ0xYhx4My/kQzPBQDm8CkDTJbELTtYQZKU2xuuSpHkWqm0pz

rLEqSIpjx9+kcjQQQhADZ8rkCM9vzbDJpn9G+gK7II0hPw4WhtzAlA0i+QGkS3wH

85Sm4C6A6LpNGXVaxxdrUKrt0OKaCPGwfCORCWVBpQpUpggjShxdPzIkQGf12gPl

iNcHPSnGsx4nzjPVtIdmh0/G15GFG2u1IpwM4cLuaN3zVHhcTblBdmtrYMsCs2xx

V893oItXm/pguDSTLT8dM8ChpRAWJ0kEvZYemYE37vHU8BOT/4TJZI2o2URyKkhe

nsVMJhhi3cz70bpOwyUAfcUIP2I8A8IaAPpSRzvosqNsyDfXJ/K5QmFUhGzz/b0w

3hJ17cSQI+xGOj5Jo/WxfLE49AhYg/Cgt4QcMp3N5cCPTUV0jVrCQQ9CWFSK8xu5

ss3xyWqfVCyNd3kSsADgt4RfuRDCQf+C5hd7G+AdXwnZ5fUGr1slZTIb35noW7tE

GSpAxiShnThWVYvgufwsiKcuBFIXltAiXZeSO33zGF636541uM88ZUqzesW9dmd4

teweQcbAnls0KuNLZBp/I0GAMkW5MrLky/cikW6aOcDoigloDNs=

=2Oa3

– —–END PGP SIGNATURE—–

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmoUYMcACgkQ3jCgcSdc

ys+fKw/+MkEXepE49iCgvTm3zBIx90jhW5BMjmqn+mmx7EQ83CU+c3zqjmu49caS

EqXvgezNKtXGBxQrdRY7wBLpU+lec7FsquMph98kNFQMjI9avfZsuQjno25Ea51V

xkfOu+0hI00MVmU/16eOerEIZqOnPX86MYZ3ZlaWU7eRDbxgXtOlvPQB4HfrF3/s

yvW+iIs805vUH71H0nGT3x29SyUFagGjslTeAFLn1Vw1XSg5TBXlyWwpg/51qcPX

TnGypsftiAe7Q7z+Eor+Ul5UipLO/t8Eb7eK3z1hwfmsSmbrQmB2LYuRxorb1zxX

iMi++ZKnnfOIZuiMXm1SrYJHmq2h6YjAsJQUOKvBEY8ma3lpsYPnxWKGkhtEjp41

hEhQODy2Hm8IY/6rGe0YAP084tMdqGmpekkhPSETOb7X7FH3DfnW5BOg/G8TwJtE

u2kZssQmd/Ib70X8pmRxJO3Xv34dxPm6MRwTzackxK33N41xkHYBllf834QRTK+d

yb/dY7fIEEi/qunAhvRdJCQ764ANj3P9AeoyIUk/Paq3qPMFS2WuUt4Vn194i3gF

ubpgbtW6b4VWlA/NkC5Di3QhS4lXlspGPBYKfLbsyGa78UCMRJGwoZW2i8P58k4a

7V9lvbqog1A6ce4ELnon2MNnG/7A+ujfLkGLRIa7O/ltcf0LqDk=

=dx2z

—–END PGP SIGNATURE—–