{"id":"USN-7106-1","summary":"tomcat9 vulnerabilities","details":"It was discovered that Tomcat did not include the secure attribute for\nsession cookies when using the RemoteIpFilter with requests from a\nreverse proxy. An attacker could possibly use this issue to leak\nsensitive information. (CVE-2023-28708)\n\nIt was discovered that Tomcat had a vulnerability in its FORM\nauthentication feature, leading to an open redirect attack. An attacker\ncould possibly use this issue to perform phishing attacks. (CVE-2023-41080)\n\nIt was discovered that Tomcat incorrectly recycled certain objects,\nwhich could lead to information leaking from one request to the next.\nAn attacker could potentially use this issue to leak sensitive\ninformation. (CVE-2023-42795)\n\nIt was discovered that Tomcat incorrectly handled HTTP trailer headers. A\nremote attacker could possibly use this issue to perform HTTP request\nsmuggling. (CVE-2023-45648)\n\nIt was discovered that Tomcat incorrectly handled socket cleanup, which\ncould lead to websocket connections staying open. An attacker could\npossibly use this issue to cause a denial of service. (CVE-2024-23672)\n","modified":"2026-02-10T04:45:55Z","published":"2024-11-13T07:19:15Z","related":["UBUNTU-CVE-2023-28708","UBUNTU-CVE-2023-41080","UBUNTU-CVE-2023-42795","UBUNTU-CVE-2023-45648","UBUNTU-CVE-2024-23672"],"upstream":["CVE-2023-28708","CVE-2023-41080","CVE-2023-42795","CVE-2023-45648","CVE-2024-23672","UBUNTU-CVE-2023-28708","UBUNTU-CVE-2023-41080","UBUNTU-CVE-2023-42795","UBUNTU-CVE-2023-45648","UBUNTU-CVE-2024-23672"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7106-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-28708"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-41080"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-42795"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2023-45648"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2024-23672"}],"affected":[{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/tomcat9@9.0.16-3ubuntu0.18.04.2+esm4?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.16-3ubuntu0.18.04.2+esm4"}]}],"versions":["9.0.16-3~18.04.1","9.0.16-3ubuntu0.18.04.1","9.0.16-3ubuntu0.18.04.2","9.0.16-3ubuntu0.18.04.2+esm1","9.0.16-3ubuntu0.18.04.2+esm2","9.0.16-3ubuntu0.18.04.2+esm3"],"ecosystem_specific":{"binaries":[{"binary_name":"libtomcat9-embed-java","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"},{"binary_name":"libtomcat9-java","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"},{"binary_name":"tomcat9","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"},{"binary_name":"tomcat9-admin","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"},{"binary_name":"tomcat9-common","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"},{"binary_name":"tomcat9-docs","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"},{"binary_name":"tomcat9-examples","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"},{"binary_name":"tomcat9-user","binary_version":"9.0.16-3ubuntu0.18.04.2+esm4"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-28708"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-41080"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-42795"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-45648"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-23672"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7106-1.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:20.04:LTS","purl":"pkg:deb/ubuntu/tomcat9@9.0.31-1ubuntu0.8?arch=source&distro=focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.31-1ubuntu0.8"}]}],"versions":["9.0.24-1","9.0.27-1","9.0.31-1","9.0.31-1ubuntu0.1","9.0.31-1ubuntu0.2","9.0.31-1ubuntu0.3","9.0.31-1ubuntu0.4","9.0.31-1ubuntu0.5","9.0.31-1ubuntu0.6","9.0.31-1ubuntu0.7"],"ecosystem_specific":{"binaries":[{"binary_name":"libtomcat9-embed-java","binary_version":"9.0.31-1ubuntu0.8"},{"binary_name":"libtomcat9-java","binary_version":"9.0.31-1ubuntu0.8"},{"binary_name":"tomcat9","binary_version":"9.0.31-1ubuntu0.8"},{"binary_name":"tomcat9-admin","binary_version":"9.0.31-1ubuntu0.8"},{"binary_name":"tomcat9-common","binary_version":"9.0.31-1ubuntu0.8"},{"binary_name":"tomcat9-docs","binary_version":"9.0.31-1ubuntu0.8"},{"binary_name":"tomcat9-examples","binary_version":"9.0.31-1ubuntu0.8"},{"binary_name":"tomcat9-user","binary_version":"9.0.31-1ubuntu0.8"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-28708"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-41080"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-42795"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-45648"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-23672"}],"ecosystem":"Ubuntu:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7106-1.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/tomcat9@9.0.58-1ubuntu0.1+esm4?arch=source&distro=esm-apps/jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.58-1ubuntu0.1+esm4"}]}],"versions":["9.0.43-3","9.0.54-1","9.0.55-1","9.0.58-1","9.0.58-1ubuntu0.1","9.0.58-1ubuntu0.1+esm1","9.0.58-1ubuntu0.1+esm2","9.0.58-1ubuntu0.1+esm3"],"ecosystem_specific":{"binaries":[{"binary_name":"libtomcat9-embed-java","binary_version":"9.0.58-1ubuntu0.1+esm4"},{"binary_name":"libtomcat9-java","binary_version":"9.0.58-1ubuntu0.1+esm4"},{"binary_name":"tomcat9","binary_version":"9.0.58-1ubuntu0.1+esm4"},{"binary_name":"tomcat9-admin","binary_version":"9.0.58-1ubuntu0.1+esm4"},{"binary_name":"tomcat9-common","binary_version":"9.0.58-1ubuntu0.1+esm4"},{"binary_name":"tomcat9-docs","binary_version":"9.0.58-1ubuntu0.1+esm4"},{"binary_name":"tomcat9-examples","binary_version":"9.0.58-1ubuntu0.1+esm4"},{"binary_name":"tomcat9-user","binary_version":"9.0.58-1ubuntu0.1+esm4"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-28708"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-41080"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-42795"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2023-45648"},{"severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}],"id":"CVE-2024-23672"}],"ecosystem":"Ubuntu:Pro:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7106-1.json"}}],"schema_version":"1.7.3"}