VDB
KO
HIGH 7.5

GHSA-m7jv-hq7h-mq7c

Infinite Loop in Apache Tomcat

Details

The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / org.apache.tomcat:tomcat
Introduced in: 10.0.0-M1 Fixed in: 10.0.0-M7
Fix # pom.xml: bump <version>10.0.0-M7</version> for org.apache.tomcat:tomcat
Maven / org.apache.tomcat:tomcat
Introduced in: 9.0.0.M1 Fixed in: 9.0.37
Fix # pom.xml: bump <version>9.0.37</version> for org.apache.tomcat:tomcat
Maven / org.apache.tomcat:tomcat
Introduced in: 8.5.0 Fixed in: 8.5.57
Fix # pom.xml: bump <version>8.5.57</version> for org.apache.tomcat:tomcat
Maven / org.apache.tomcat:tomcat
Introduced in: 7.0.27 Fixed in: 7.0.105
Fix # pom.xml: bump <version>7.0.105</version> for org.apache.tomcat:tomcat
Maven / org.apache.tomcat.embed:tomcat-embed-websocket
Introduced in: 7.0.27 Fixed in: 7.0.105
Fix # pom.xml: bump <version>7.0.105</version> for org.apache.tomcat.embed:tomcat-embed-websocket
Maven / org.apache.tomcat.embed:tomcat-embed-websocket
Introduced in: 8.5.0 Fixed in: 8.5.57
Fix # pom.xml: bump <version>8.5.57</version> for org.apache.tomcat.embed:tomcat-embed-websocket
Maven / org.apache.tomcat.embed:tomcat-embed-websocket
Introduced in: 9.0.0.M1 Fixed in: 9.0.37
Fix # pom.xml: bump <version>9.0.37</version> for org.apache.tomcat.embed:tomcat-embed-websocket
Maven / org.apache.tomcat.embed:tomcat-embed-websocket
Introduced in: 10.0.0-M1 Fixed in: 10.0.0-M7
Fix # pom.xml: bump <version>10.0.0-M7</version> for org.apache.tomcat.embed:tomcat-embed-websocket
Maven / org.apache.tomcat:tomcat-websocket
Introduced in: 10.0.0-M1 Fixed in: 10.0.0-M7
Fix # pom.xml: bump <version>10.0.0-M7</version> for org.apache.tomcat:tomcat-websocket
Maven / org.apache.tomcat:tomcat-websocket
Introduced in: 9.0.0.M1 Fixed in: 9.0.37
Fix # pom.xml: bump <version>9.0.37</version> for org.apache.tomcat:tomcat-websocket
Maven / org.apache.tomcat:tomcat-websocket
Introduced in: 8.5.0 Fixed in: 8.5.57
Fix # pom.xml: bump <version>8.5.57</version> for org.apache.tomcat:tomcat-websocket
Maven / org.apache.tomcat:tomcat-websocket
Introduced in: 7.0.27 Fixed in: 7.0.105
Fix # pom.xml: bump <version>7.0.105</version> for org.apache.tomcat:tomcat-websocket

References