{"id":"USN-8417-1","summary":"tomcat9, tomcat10 vulnerabilities","details":"It was discovered that Tomcat did not properly limit the size of\nWebDAV LOCK and PROPFIND request bodies. A remote attacker could\nuse this issue to cause Tomcat to consume excessive memory,\nresulting in a denial of service. (CVE-2026-41284)\n\nIt was discovered that Tomcat incorrectly validated HTTP/2 header\nfields. A remote attacker could use this issue to cause Tomcat to\ncrash or possibly execute arbitrary code. (CVE-2026-41293)\n\nIt was discovered that Tomcat did not properly clear HTTP\nauthentication headers during WebSocket connection upgrades and\nredirects. A remote attacker could use this issue to obtain\nsensitive credentials. (CVE-2026-42498)\n\nIt was discovered that Tomcat incorrectly handled digest\nauthentication. A remote attacker could possibly use this issue to\nbypass authentication restrictions. (CVE-2026-43512)\n\nIt was discovered that Tomcat incorrectly handled case sensitivity\nin LockOutRealm. A remote attacker could possibly use this issue to\nbypass account lockout protections and obtain sensitive information.\n(CVE-2026-43513)\n\nIt was discovered that Tomcat incorrectly handled authorization\nwhen multiple method constraints defined the same HTTP method. A\nremote attacker could possibly use this issue to bypass\nauthorization restrictions. (CVE-2026-43515)","modified":"2026-06-10T14:03:53.130459504Z","published":"2026-06-10T06:44:15Z","upstream":["CVE-2026-41284","CVE-2026-41293","CVE-2026-42498","CVE-2026-43512","CVE-2026-43513","CVE-2026-43515","UBUNTU-CVE-2026-41284","UBUNTU-CVE-2026-41293","UBUNTU-CVE-2026-42498","UBUNTU-CVE-2026-43512","UBUNTU-CVE-2026-43513","UBUNTU-CVE-2026-43515"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8417-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-41284"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-41293"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-42498"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-43512"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-43513"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-43515"}],"affected":[{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=esm-apps%2Fbionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.16-3ubuntu0.18.04.2+esm8"}]}],"versions":["9.0.16-3~18.04.1","9.0.16-3ubuntu0.18.04.1","9.0.16-3ubuntu0.18.04.2","9.0.16-3ubuntu0.18.04.2+esm1","9.0.16-3ubuntu0.18.04.2+esm2","9.0.16-3ubuntu0.18.04.2+esm3","9.0.16-3ubuntu0.18.04.2+esm4","9.0.16-3ubuntu0.18.04.2+esm5","9.0.16-3ubuntu0.18.04.2+esm6","9.0.16-3ubuntu0.18.04.2+esm7"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"libtomcat9-embed-java"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"libtomcat9-java"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"tomcat9"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"tomcat9-admin"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"tomcat9-common"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"tomcat9-docs"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"tomcat9-examples"},{"binary_version":"9.0.16-3ubuntu0.18.04.2+esm8","binary_name":"tomcat9-user"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=esm-apps%2Ffocal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.31-1ubuntu0.9+esm3"}]}],"versions":["9.0.24-1","9.0.27-1","9.0.31-1","9.0.31-1ubuntu0.1","9.0.31-1ubuntu0.2","9.0.31-1ubuntu0.3","9.0.31-1ubuntu0.4","9.0.31-1ubuntu0.5","9.0.31-1ubuntu0.6","9.0.31-1ubuntu0.7","9.0.31-1ubuntu0.8","9.0.31-1ubuntu0.9","9.0.31-1ubuntu0.9+esm1","9.0.31-1ubuntu0.9+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"libtomcat9-embed-java"},{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"libtomcat9-java"},{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"tomcat9"},{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"tomcat9-admin"},{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"tomcat9-common"},{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"tomcat9-docs"},{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"tomcat9-examples"},{"binary_version":"9.0.31-1ubuntu0.9+esm3","binary_name":"tomcat9-user"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:20.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:22.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=esm-apps%2Fjammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.58-1ubuntu0.2+esm4"}]}],"versions":["9.0.43-3","9.0.54-1","9.0.55-1","9.0.58-1","9.0.58-1ubuntu0.1","9.0.58-1ubuntu0.1+esm1","9.0.58-1ubuntu0.1+esm2","9.0.58-1ubuntu0.1+esm3","9.0.58-1ubuntu0.1+esm4","9.0.58-1ubuntu0.2","9.0.58-1ubuntu0.2+esm1","9.0.58-1ubuntu0.2+esm2","9.0.58-1ubuntu0.2+esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"libtomcat9-embed-java"},{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"libtomcat9-java"},{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"tomcat9"},{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"tomcat9-admin"},{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"tomcat9-common"},{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"tomcat9-docs"},{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"tomcat9-examples"},{"binary_version":"9.0.58-1ubuntu0.2+esm4","binary_name":"tomcat9-user"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:22.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat10","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/tomcat10?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"10.1.16-1ubuntu0.1~esm4"}]}],"versions":["10.1.10-1","10.1.14-1","10.1.15-1","10.1.16-1","10.1.16-1ubuntu0.1~esm1","10.1.16-1ubuntu0.1~esm2","10.1.16-1ubuntu0.1~esm3"],"ecosystem_specific":{"binaries":[{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"libtomcat10-embed-java"},{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"libtomcat10-java"},{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"tomcat10"},{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"tomcat10-admin"},{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"tomcat10-common"},{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"tomcat10-docs"},{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"tomcat10-examples"},{"binary_version":"10.1.16-1ubuntu0.1~esm4","binary_name":"tomcat10-user"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:Pro:24.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=esm-apps%2Fnoble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.70-2ubuntu0.1+esm3"}]}],"versions":["9.0.70-1ubuntu1","9.0.70-2","9.0.70-2ubuntu0.1","9.0.70-2ubuntu0.1+esm1","9.0.70-2ubuntu0.1+esm2"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.70-2ubuntu0.1+esm3","binary_name":"libtomcat9-java"}],"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:Pro:24.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat10","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/tomcat10?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"10.1.40-1ubuntu1.25.10.1"}]}],"versions":["10.1.35-1","10.1.40-1","10.1.40-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"libtomcat10-embed-java"},{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"libtomcat10-java"},{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"tomcat10"},{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"tomcat10-admin"},{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"tomcat10-common"},{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"tomcat10-docs"},{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"tomcat10-examples"},{"binary_version":"10.1.40-1ubuntu1.25.10.1","binary_name":"tomcat10-user"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:25.10"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.95-1ubuntu1.1"}]}],"versions":["9.0.70-2ubuntu1.1","9.0.70-2ubuntu2","9.0.70-2ubuntu3","9.0.95-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.95-1ubuntu1.1","binary_name":"libtomcat9-java"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:25.10"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat10","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/tomcat10?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"10.1.40-1ubuntu1.26.04.1"}]}],"versions":["10.1.40-1ubuntu1"],"ecosystem_specific":{"binaries":[{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"libtomcat10-embed-java"},{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"libtomcat10-java"},{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"tomcat10"},{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"tomcat10-admin"},{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"tomcat10-common"},{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"tomcat10-docs"},{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"tomcat10-examples"},{"binary_version":"10.1.40-1ubuntu1.26.04.1","binary_name":"tomcat10-user"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:26.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}},{"package":{"name":"tomcat9","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/tomcat9?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.115-1ubuntu0.1"}]}],"versions":["9.0.95-1ubuntu1","9.0.111-1","9.0.115-1"],"ecosystem_specific":{"binaries":[{"binary_version":"9.0.115-1ubuntu0.1","binary_name":"libtomcat9-java"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[],"ecosystem":"Ubuntu:26.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8417-1.json"}}],"schema_version":"1.7.5"}