Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.
Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
The product does not properly “clean up” and remove temporary or supporting resources after they have been used.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Tomcat | Apache | 8.5.0 (including) | 8.5.94 (excluding) |
Tomcat | Apache | 9.0.1 (including) | 9.0.81 (excluding) |
Tomcat | Apache | 10.1.1 (including) | 10.1.14 (excluding) |
Tomcat | Apache | 9.0.0-milestone1 (including) | 9.0.0-milestone1 (including) |
Tomcat | Apache | 9.0.0-milestone10 (including) | 9.0.0-milestone10 (including) |
Tomcat | Apache | 9.0.0-milestone11 (including) | 9.0.0-milestone11 (including) |
Tomcat | Apache | 9.0.0-milestone12 (including) | 9.0.0-milestone12 (including) |
Tomcat | Apache | 9.0.0-milestone13 (including) | 9.0.0-milestone13 (including) |
Tomcat | Apache | 9.0.0-milestone14 (including) | 9.0.0-milestone14 (including) |
Tomcat | Apache | 9.0.0-milestone15 (including) | 9.0.0-milestone15 (including) |
Tomcat | Apache | 9.0.0-milestone16 (including) | 9.0.0-milestone16 (including) |
Tomcat | Apache | 9.0.0-milestone17 (including) | 9.0.0-milestone17 (including) |
Tomcat | Apache | 9.0.0-milestone18 (including) | 9.0.0-milestone18 (including) |
Tomcat | Apache | 9.0.0-milestone19 (including) | 9.0.0-milestone19 (including) |
Tomcat | Apache | 9.0.0-milestone2 (including) | 9.0.0-milestone2 (including) |
Tomcat | Apache | 9.0.0-milestone20 (including) | 9.0.0-milestone20 (including) |
Tomcat | Apache | 9.0.0-milestone21 (including) | 9.0.0-milestone21 (including) |
Tomcat | Apache | 9.0.0-milestone22 (including) | 9.0.0-milestone22 (including) |
Tomcat | Apache | 9.0.0-milestone23 (including) | 9.0.0-milestone23 (including) |
Tomcat | Apache | 9.0.0-milestone24 (including) | 9.0.0-milestone24 (including) |
Tomcat | Apache | 9.0.0-milestone25 (including) | 9.0.0-milestone25 (including) |
Tomcat | Apache | 9.0.0-milestone26 (including) | 9.0.0-milestone26 (including) |
Tomcat | Apache | 9.0.0-milestone27 (including) | 9.0.0-milestone27 (including) |
Tomcat | Apache | 9.0.0-milestone3 (including) | 9.0.0-milestone3 (including) |
Tomcat | Apache | 9.0.0-milestone4 (including) | 9.0.0-milestone4 (including) |
Tomcat | Apache | 9.0.0-milestone5 (including) | 9.0.0-milestone5 (including) |
Tomcat | Apache | 9.0.0-milestone6 (including) | 9.0.0-milestone6 (including) |
Tomcat | Apache | 9.0.0-milestone7 (including) | 9.0.0-milestone7 (including) |
Tomcat | Apache | 9.0.0-milestone8 (including) | 9.0.0-milestone8 (including) |
Tomcat | Apache | 9.0.0-milestone9 (including) | 9.0.0-milestone9 (including) |
Tomcat | Apache | 10.1.0-milestone1 (including) | 10.1.0-milestone1 (including) |
Tomcat | Apache | 10.1.0-milestone10 (including) | 10.1.0-milestone10 (including) |
Tomcat | Apache | 10.1.0-milestone11 (including) | 10.1.0-milestone11 (including) |
Tomcat | Apache | 10.1.0-milestone12 (including) | 10.1.0-milestone12 (including) |
Tomcat | Apache | 10.1.0-milestone13 (including) | 10.1.0-milestone13 (including) |
Tomcat | Apache | 10.1.0-milestone14 (including) | 10.1.0-milestone14 (including) |
Tomcat | Apache | 10.1.0-milestone15 (including) | 10.1.0-milestone15 (including) |
Tomcat | Apache | 10.1.0-milestone16 (including) | 10.1.0-milestone16 (including) |
Tomcat | Apache | 10.1.0-milestone17 (including) | 10.1.0-milestone17 (including) |
Tomcat | Apache | 10.1.0-milestone18 (including) | 10.1.0-milestone18 (including) |
Tomcat | Apache | 10.1.0-milestone19 (including) | 10.1.0-milestone19 (including) |
Tomcat | Apache | 10.1.0-milestone2 (including) | 10.1.0-milestone2 (including) |
Tomcat | Apache | 10.1.0-milestone20 (including) | 10.1.0-milestone20 (including) |
Tomcat | Apache | 10.1.0-milestone3 (including) | 10.1.0-milestone3 (including) |
Tomcat | Apache | 10.1.0-milestone4 (including) | 10.1.0-milestone4 (including) |
Tomcat | Apache | 10.1.0-milestone5 (including) | 10.1.0-milestone5 (including) |
Tomcat | Apache | 10.1.0-milestone6 (including) | 10.1.0-milestone6 (including) |
Tomcat | Apache | 10.1.0-milestone7 (including) | 10.1.0-milestone7 (including) |
Tomcat | Apache | 10.1.0-milestone8 (including) | 10.1.0-milestone8 (including) |
Tomcat | Apache | 10.1.0-milestone9 (including) | 10.1.0-milestone9 (including) |
Tomcat | Apache | 11.0.0-milestone1 (including) | 11.0.0-milestone1 (including) |
Tomcat | Apache | 11.0.0-milestone10 (including) | 11.0.0-milestone10 (including) |
Tomcat | Apache | 11.0.0-milestone11 (including) | 11.0.0-milestone11 (including) |
Tomcat | Apache | 11.0.0-milestone2 (including) | 11.0.0-milestone2 (including) |
Tomcat | Apache | 11.0.0-milestone3 (including) | 11.0.0-milestone3 (including) |
Tomcat | Apache | 11.0.0-milestone4 (including) | 11.0.0-milestone4 (including) |
Tomcat | Apache | 11.0.0-milestone5 (including) | 11.0.0-milestone5 (including) |
Tomcat | Apache | 11.0.0-milestone6 (including) | 11.0.0-milestone6 (including) |
Tomcat | Apache | 11.0.0-milestone7 (including) | 11.0.0-milestone7 (including) |
Tomcat | Apache | 11.0.0-milestone8 (including) | 11.0.0-milestone8 (including) |
Tomcat | Apache | 11.0.0-milestone9 (including) | 11.0.0-milestone9 (including) |
Red Hat Enterprise Linux 8 | RedHat | tomcat-1:9.0.62-27.el8_9.2 | * |
Red Hat Enterprise Linux 9 | RedHat | tomcat-1:9.0.62-37.el9_3.1 | * |
Red Hat Fuse 7.12.1 | RedHat | tomcat | * |
Red Hat JBoss Web Server 5 | RedHat | tomcat | * |
Red Hat JBoss Web Server 5.7 on RHEL 7 | RedHat | jws5-tomcat-0:9.0.62-18.redhat_00016.1.el7jws | * |
Red Hat JBoss Web Server 5.7 on RHEL 8 | RedHat | jws5-tomcat-0:9.0.62-18.redhat_00016.1.el8jws | * |
Red Hat JBoss Web Server 5.7 on RHEL 9 | RedHat | jws5-tomcat-0:9.0.62-18.redhat_00016.1.el9jws | * |
Tomcat10 | Ubuntu | bionic | * |
Tomcat10 | Ubuntu | lunar | * |
Tomcat10 | Ubuntu | mantic | * |
Tomcat10 | Ubuntu | trusty | * |
Tomcat10 | Ubuntu | upstream | * |
Tomcat10 | Ubuntu | xenial | * |
Tomcat8 | Ubuntu | bionic | * |
Tomcat8 | Ubuntu | esm-apps/bionic | * |
Tomcat8 | Ubuntu | trusty | * |
Tomcat8 | Ubuntu | xenial | * |
Tomcat9 | Ubuntu | bionic | * |
Tomcat9 | Ubuntu | devel | * |
Tomcat9 | Ubuntu | esm-apps/bionic | * |
Tomcat9 | Ubuntu | esm-apps/focal | * |
Tomcat9 | Ubuntu | esm-apps/jammy | * |
Tomcat9 | Ubuntu | esm-apps/noble | * |
Tomcat9 | Ubuntu | focal | * |
Tomcat9 | Ubuntu | jammy | * |
Tomcat9 | Ubuntu | lunar | * |
Tomcat9 | Ubuntu | mantic | * |
Tomcat9 | Ubuntu | noble | * |
Tomcat9 | Ubuntu | oracular | * |
Tomcat9 | Ubuntu | plucky | * |
Tomcat9 | Ubuntu | trusty | * |
Tomcat9 | Ubuntu | xenial | * |