Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency org.apache.tomcat:tomcat-catalina to v9.0.98 [security] #163

Open
wants to merge 1 commit into
base: dev
Choose a base branch
from
Open

fix(deps): update dependency org.apache.tomcat:tomcat-catalina to v9.0.98 [security] #163

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Nov 19, 2024
edited
Loading

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
org.apache.tomcat:tomcat-catalina 9.0.91 -> 9.0.98 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Apache Tomcat - Authentication Bypass

BIT-tomcat-2024-52316 / CVE-2024-52316 / GHSA-xcpr-7mr4-h4xq

More information

Details

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95.

Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Apache Tomcat Uncontrolled Resource Consumption vulnerability

BIT-tomcat-2024-54677 / CVE-2024-54677 / GHSA-653p-vg55-5652

More information

Details

Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.9.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Severity

  • CVSS Score: 5.3 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability

BIT-tomcat-2024-50379 / CVE-2024-50379 / GHSA-5j33-cvvr-w245

More information

Details

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97.

Users are recommended to upgrade to version 11.0.2, 10.1.34 or 9.0.98, which fixes the issue.

Severity

  • CVSS Score: 9.8 / 10 (Critical)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from gipo355 as a code owner November 19, 2024 06:25
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Nov 19, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: 4bc7731

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/maven-org.apache.tomcat-tomcat-catalina-vulnerability branch from 635dcad to 4bc7731 Compare December 18, 2024 08:43
@renovate renovate bot changed the title fix(deps): update dependency org.apache.tomcat:tomcat-catalina to v9.0.96 [security] fix(deps): update dependency org.apache.tomcat:tomcat-catalina to v9.0.98 [security] Dec 18, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gipo355 gipo355 Awaiting requested review from gipo355 gipo355 is a code owner

Assignees
No one assigned
Labels
Gradle security bot update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants