CVE-2026-41293

CRITICAL9.8EPSS 0.25%

Apache Tomcat - HTTP/2 request headers not validated

發布日:2026/5/12修改日:2026/5/19

描述

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: HTTP/2 request headers were not validated which may have triggered unexpected application behaviour if the application (quite reasonably) assumed that header value exposed through the Servlet API would be specification compliant. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.22 or later - Upgrade to Apache Tomcat 10.1.55 or later - Upgrade to Apache Tomcat 9.0.118 or later Credit: This issue was identified by Dawit Jeong (@dawitngoliath)

受影響套件(7)

Bitnami/tomcat>= 10.0.0, < 10.1.55, >= 11.0.0, < 11.0.22, >= 9.0.0, < 9.0.118
Debian/tomcat10from 0
Debian/tomcat11from 0
Debian/tomcat9from 0, < 9.0.70-2
Maven/org.apache.tomcat.embed:tomcat-embed-corefrom 0, < 9.0.118
Maven/org.apache.tomcat:tomcatfrom 0, < 9.0.118
Maven/org.apache.tomcat:tomcat-catalinafrom 0, < 9.0.118

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

描述

受影響套件(7)

CVSS 分數

參考連結(17)