SB2026060851 - Debian update for tomcat11
Published: June 8, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 17 vulnerabilities.
1) Improper authorization (CVE-ID: CVE-2026-24734)
CWE-ID: CWE-285 - Improper Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to incomplete OCSP verification checks. When using an OCSP responder, Tomcat's FFM integration with OpenSSL does not complete verification or freshness checks on the OCSP response. A remote attacker can bypass certificate revocation and gain unauthorized access to the application.
2) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2026-24880)
CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to perform request smuggling.
The vulnerability exists due to improper input validation in HTTP/1.1 chunk extension handling when parsing chunked requests. A remote attacker can send a specially crafted request with an invalid chunk extension to perform request smuggling.
Exploitation requires a reverse proxy in front of Tomcat that allows CRLF sequences in an otherwise valid chunk extension.
3) Open redirect (CVE-ID: CVE-2026-25854)
CWE-ID: CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to redirect users to an arbitrary URI.
The vulnerability exists due to improper input validation in LoadBalancerDrainingValve when handling a specially crafted URL while a Tomcat node is in the disabled (draining) state. A remote attacker can send a specially crafted URL to redirect users to an arbitrary URI.
Only clustered deployments using LoadBalancerDrainingValve in the disabled (draining) state are affected.
4) Configuration (CVE-ID: CVE-2026-29129)
CWE-ID: CWE-16 - Configuration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause the server to use TLS cipher suites in an unintended order.
The vulnerability exists due to improper configuration handling in TLS 1.3 cipher suite configuration when negotiating TLS connections. A remote attacker can initiate a TLS connection to cause the server to use TLS cipher suites in an unintended order.
5) Improper Certificate Validation (CVE-ID: CVE-2026-29145)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass certificate revocation checks during authentication.
The vulnerability exists due to improper certificate validation in CLIENT_CERT authentication when processing OCSP checks in some scenarios with soft fail disabled. A remote user can present a certificate in affected scenarios to bypass certificate revocation checks during authentication.
Only some scenarios are affected when soft fail is disabled.
6) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2026-29146)
CWE-ID: CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to decrypt protected communications.
The vulnerability exists due to the use of a padding-oracle-prone cryptographic mode in EncryptInterceptor when processing encrypted traffic with the default CBC configuration. A remote attacker can perform a padding oracle attack to decrypt protected communications.
7) Improper input validation (CVE-ID: CVE-2026-32990)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass strict SNI checks.
The vulnerability exists due to improper input validation in SNI name and host name validation when processing TLS connections. A remote attacker can use differences in case between the SNI name and host name to bypass strict SNI checks.
8) Improper Encoding or Escaping of Output (CVE-ID: CVE-2026-34483)
CWE-ID: CWE-116 - Improper Encoding or Escaping of Output
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to inject arbitrary JSON into the JSON access log.
The vulnerability exists due to incomplete escaping in the JSON access log when handling requests with non-default Connector attributes relaxedPathChars and/or relaxedQueryChars. A remote attacker can send a specially crafted request to inject arbitrary JSON into the JSON access log.
Only configurations using non-default values for relaxedPathChars and/or relaxedQueryChars are affected.
9) Inclusion of Sensitive Information in Log Files (CVE-ID: CVE-2026-34487)
CWE-ID: CWE-532 - Information Exposure Through Log Files
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to insertion of sensitive information into log output in the cloud membership for clustering component when writing log messages. A remote attacker can trigger log entries that expose the Kubernetes bearer token to disclose sensitive information.
10) Improper Certificate Validation (CVE-ID: CVE-2026-34500)
CWE-ID: CWE-295 - Improper Certificate Validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass client certificate authentication.
The vulnerability exists due to improper certificate validation in CLIENT_CERT authentication when processing OCSP checks with FFM and soft-fail disabled. A remote user can present a certificate in affected scenarios to bypass client certificate authentication.
Only some scenarios using FFM are affected.
11) Resource exhaustion (CVE-ID: CVE-2026-41284)
CWE-ID: CWE-400 - Resource exhaustion
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to uncontrolled resource consumption in WebDAV LOCK and PROPFIND handling when processing request bodies. A remote attacker can send a large request body to cause a denial of service.
The affected requests are available to unauthenticated users.
12) Input validation error (CVE-ID: CVE-2026-41293)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to trigger unexpected application behavior.
The vulnerability exists due to improper input validation in HTTP/2 request header handling when exposing header values through the Servlet API. A remote attacker can send crafted HTTP/2 request headers to trigger unexpected application behavior.
This may affect applications that assume header values exposed through the Servlet API are specification compliant.
13) Information disclosure (CVE-ID: CVE-2026-42498)
CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose authentication headers to a redirect target host.
The vulnerability exists due to exposure of sensitive information in Tomcat's WebSocket client when following a redirected WebSocket request after authentication. A remote user can trigger a redirect after authentication to disclose authentication headers to a redirect target host.
The issue occurs only if a WebSocket request is redirected after authentication.
14) Improper Authentication (CVE-ID: CVE-2026-43512)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to authenticate as an unknown user.
The vulnerability exists due to improper authentication in the DIGEST authenticator when processing authentication for users not known to the configured Realm. A remote attacker can submit the password "null" for an unknown user to authenticate as an unknown user.
This occurs only when DIGEST authentication is configured.
15) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-43513)
CWE-ID: CWE-178 - Improper Handling of Case Sensitivity
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to weaken brute-force protection against a user's password.
The vulnerability exists due to improper input handling in LockOutRealm when processing case-insensitive user names. A remote attacker can vary the case of a user name during authentication attempts to weaken brute-force protection against a user's password.
This affects Realms where user names are treated as case insensitive.
16) Information Exposure Through Timing Discrepancy (CVE-ID: CVE-2026-43514)
CWE-ID: CWE-208 - Information Exposure Through Timing Discrepancy
CVSSv4: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to disclose the AJP secret.
The vulnerability exists due to observable timing discrepancy in AJP secret comparison when validating the AJP secret. A remote attacker can perform a timing attack to disclose the AJP secret.
Exploitation is limited to an attacker on the local network.
17) Improper access control (CVE-ID: CVE-2026-43515)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to bypass security constraints.
The vulnerability exists due to improper access control in HTTP method constraint processing when evaluating multiple security constraints for the same extension pattern. A remote attacker can send a request using an improperly constrained HTTP method to bypass security constraints.
Remediation
Install update from vendor's website.