{ "_class" : "io.jenkins.plugins.analysis.core.restapi.ReportApi", "issues" : [ { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-6a54c218", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-24880: LanguageSpecificPackageVulnerability\u000a\u000aInconsistent Interpretation of HTTP Requests ('HTTP Request/Response S ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-24880**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.52, 11.0.20|[CVE-2026-24880](https://avd.aquasec.com/nvd/cve-2026-24880)|\u000a\u000aInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\u000aOther, unsupported versions may also be affected.\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-24880\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.52, 11.0.20\u000aLink: [CVE-2026-24880](https://avd.aquasec.com/nvd/cve-2026-24880)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "catalina.jar(1,0): CVE-2026-24880: : CVE-2026-24880: LanguageSpecificPackageVulnerability\u000a\u000aInconsistent Interpretation of HTTP Requests ('HTTP Request/Response S ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-24880**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.52, 11.0.20|[CVE-2026-24880](https://avd.aquasec.com/nvd/cve-2026-24880)|\u000a\u000aInconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.\u000aOther, unsupported versions may also be affected.\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-24880\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.52, 11.0.20\u000aLink: [CVE-2026-24880](https://avd.aquasec.com/nvd/cve-2026-24880)", "type" : "CVE-2026-24880" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-82411fbb", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-25854: LanguageSpecificPackageVulnerability\u000a\u000aOccasional URL redirection to untrusted Site ('Open Redirect') vulnera ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-25854**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-25854](https://avd.aquasec.com/nvd/cve-2026-25854)|\u000a\u000aOccasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\u000aOther, unsupported versions may also be affected\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-25854\u000aSeverity: MEDIUM\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-25854](https://avd.aquasec.com/nvd/cve-2026-25854)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "NORMAL", "toString" : "catalina.jar(1,0): CVE-2026-25854: : CVE-2026-25854: LanguageSpecificPackageVulnerability\u000a\u000aOccasional URL redirection to untrusted Site ('Open Redirect') vulnera ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-25854**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-25854](https://avd.aquasec.com/nvd/cve-2026-25854)|\u000a\u000aOccasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.\u000aOther, unsupported versions may also be affected\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-25854\u000aSeverity: MEDIUM\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-25854](https://avd.aquasec.com/nvd/cve-2026-25854)", "type" : "CVE-2026-25854" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-66a9e9cb", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-29129: LanguageSpecificPackageVulnerability\u000a\u000aConfigured cipher preference order not preserved vulnerability in Apac ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-29129**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-29129](https://avd.aquasec.com/nvd/cve-2026-29129)|\u000a\u000aConfigured cipher preference order not preserved vulnerability in Apache Tomcat.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-29129\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-29129](https://avd.aquasec.com/nvd/cve-2026-29129)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "catalina.jar(1,0): CVE-2026-29129: : CVE-2026-29129: LanguageSpecificPackageVulnerability\u000a\u000aConfigured cipher preference order not preserved vulnerability in Apac ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-29129**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-29129](https://avd.aquasec.com/nvd/cve-2026-29129)|\u000a\u000aConfigured cipher preference order not preserved vulnerability in Apache Tomcat.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-29129\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-29129](https://avd.aquasec.com/nvd/cve-2026-29129)", "type" : "CVE-2026-29129" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-6d249065", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-29145: LanguageSpecificPackageVulnerability\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenario ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-29145**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-29145](https://avd.aquasec.com/nvd/cve-2026-29145)|\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\u000a\u000aUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-29145\u000aSeverity: CRITICAL\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-29145](https://avd.aquasec.com/nvd/cve-2026-29145)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "catalina.jar(1,0): CVE-2026-29145: : CVE-2026-29145: LanguageSpecificPackageVulnerability\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenario ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-29145**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|CRITICAL|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-29145](https://avd.aquasec.com/nvd/cve-2026-29145)|\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.\u000a\u000aUsers are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-29145\u000aSeverity: CRITICAL\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-29145](https://avd.aquasec.com/nvd/cve-2026-29145)", "type" : "CVE-2026-29145" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-6d412956", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-29146: LanguageSpecificPackageVulnerability\u000a\u000aPadding Oracle vulnerability in Apache Tomcat's EncryptInterceptor wit ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-29146**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.19|[CVE-2026-29146](https://avd.aquasec.com/nvd/cve-2026-29146)|\u000a\u000aPadding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u000a\u000aUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-29146\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.53, 11.0.19\u000aLink: [CVE-2026-29146](https://avd.aquasec.com/nvd/cve-2026-29146)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "catalina.jar(1,0): CVE-2026-29146: : CVE-2026-29146: LanguageSpecificPackageVulnerability\u000a\u000aPadding Oracle vulnerability in Apache Tomcat's EncryptInterceptor wit ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-29146**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.19|[CVE-2026-29146](https://avd.aquasec.com/nvd/cve-2026-29146)|\u000a\u000aPadding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\u000a\u000aUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-29146\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.53, 11.0.19\u000aLink: [CVE-2026-29146](https://avd.aquasec.com/nvd/cve-2026-29146)", "type" : "CVE-2026-29146" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-f899c988", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-32990: LanguageSpecificPackageVulnerability\u000a\u000aImproper Input Validation vulnerability in Apache Tomcat due to an inc ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32990**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-32990](https://avd.aquasec.com/nvd/cve-2026-32990)|\u000a\u000aImproper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-32990\u000aSeverity: MEDIUM\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-32990](https://avd.aquasec.com/nvd/cve-2026-32990)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "NORMAL", "toString" : "catalina.jar(1,0): CVE-2026-32990: : CVE-2026-32990: LanguageSpecificPackageVulnerability\u000a\u000aImproper Input Validation vulnerability in Apache Tomcat due to an inc ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-32990**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.53, 11.0.20|[CVE-2026-32990](https://avd.aquasec.com/nvd/cve-2026-32990)|\u000a\u000aImproper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.\u000a\u000aUsers are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-32990\u000aSeverity: MEDIUM\u000aFixed Version: 9.0.116, 10.1.53, 11.0.20\u000aLink: [CVE-2026-32990](https://avd.aquasec.com/nvd/cve-2026-32990)", "type" : "CVE-2026-32990" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-ba96c298", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-34483: LanguageSpecificPackageVulnerability\u000a\u000aImproper Encoding or Escaping of Output vulnerability in the JsonAcces ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34483**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.54, 11.0.21|[CVE-2026-34483](https://avd.aquasec.com/nvd/cve-2026-34483)|\u000a\u000aImproper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\u000a\u000aUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-34483\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.54, 11.0.21\u000aLink: [CVE-2026-34483](https://avd.aquasec.com/nvd/cve-2026-34483)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "catalina.jar(1,0): CVE-2026-34483: : CVE-2026-34483: LanguageSpecificPackageVulnerability\u000a\u000aImproper Encoding or Escaping of Output vulnerability in the JsonAcces ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34483**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.116, 10.1.54, 11.0.21|[CVE-2026-34483](https://avd.aquasec.com/nvd/cve-2026-34483)|\u000a\u000aImproper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.\u000a\u000aUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-34483\u000aSeverity: HIGH\u000aFixed Version: 9.0.116, 10.1.54, 11.0.21\u000aLink: [CVE-2026-34483](https://avd.aquasec.com/nvd/cve-2026-34483)", "type" : "CVE-2026-34483" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-bb09265c", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-34487: LanguageSpecificPackageVulnerability\u000a\u000aInsertion of Sensitive Information into Log File vulnerability in the ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34487**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.117, 10.1.54, 11.0.21|[CVE-2026-34487](https://avd.aquasec.com/nvd/cve-2026-34487)|\u000a\u000aInsertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\u000a\u000aUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-34487\u000aSeverity: HIGH\u000aFixed Version: 9.0.117, 10.1.54, 11.0.21\u000aLink: [CVE-2026-34487](https://avd.aquasec.com/nvd/cve-2026-34487)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "HIGH", "toString" : "catalina.jar(1,0): CVE-2026-34487: : CVE-2026-34487: LanguageSpecificPackageVulnerability\u000a\u000aInsertion of Sensitive Information into Log File vulnerability in the ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34487**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|HIGH|org.apache.tomcat:tomcat-catalina|9.0.117, 10.1.54, 11.0.21|[CVE-2026-34487](https://avd.aquasec.com/nvd/cve-2026-34487)|\u000a\u000aInsertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.\u000a\u000aUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-34487\u000aSeverity: HIGH\u000aFixed Version: 9.0.117, 10.1.54, 11.0.21\u000aLink: [CVE-2026-34487](https://avd.aquasec.com/nvd/cve-2026-34487)", "type" : "CVE-2026-34487" }, { "addedAt" : 0, "authorEmail" : "-", "authorName" : "-", "baseName" : "catalina.jar", "category" : "", "columnEnd" : 0, "columnStart" : 0, "commit" : "-", "description" : "", "fileName" : "/usr/local/tomcat/lib/catalina.jar", "fingerprint" : "FALLBACK-2bda82fb", "lineEnd" : 1, "lineStart" : 1, "message" : "CVE-2026-34500: LanguageSpecificPackageVulnerability\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenario ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34500**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.tomcat:tomcat-catalina|9.0.117, 10.1.54, 11.0.21|[CVE-2026-34500](https://avd.aquasec.com/nvd/cve-2026-34500)|\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\u000a\u000aUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-34500\u000aSeverity: MEDIUM\u000aFixed Version: 9.0.117, 10.1.54, 11.0.21\u000aLink: [CVE-2026-34500](https://avd.aquasec.com/nvd/cve-2026-34500)", "moduleName" : "", "origin" : "trivy", "originName" : "Trivy Security Scanner", "packageName" : "-", "reference" : "1398", "severity" : "NORMAL", "toString" : "catalina.jar(1,0): CVE-2026-34500: : CVE-2026-34500: LanguageSpecificPackageVulnerability\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenario ...\u000a\u000aFor additional help see: **Vulnerability CVE-2026-34500**\u000a| Severity | Package | Fixed Version | Link |\u000a| --- | --- | --- | --- |\u000a|MEDIUM|org.apache.tomcat:tomcat-catalina|9.0.117, 10.1.54, 11.0.21|[CVE-2026-34500](https://avd.aquasec.com/nvd/cve-2026-34500)|\u000a\u000aCLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat.\u000a\u000aThis issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.\u000a\u000aUsers are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.\u000a\u000aPackage: org.apache.tomcat:tomcat-catalina\u000aInstalled Version: 9.0.115\u000aVulnerability CVE-2026-34500\u000aSeverity: MEDIUM\u000aFixed Version: 9.0.117, 10.1.54, 11.0.21\u000aLink: [CVE-2026-34500](https://avd.aquasec.com/nvd/cve-2026-34500)", "type" : "CVE-2026-34500" } ], "size" : 9, "toString" : "9 warnings (high: 6, normal: 3)" }