BIT-tomcat-2026-29146

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-29146.json

JSON Data

https://api.test.osv.dev/v1/vulns/BIT-tomcat-2026-29146

Aliases

Published

2026-04-13T16:01:34.700Z

Modified

2026-04-13T17:12:56.515699136Z

Summary

Apache Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default

Details

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.

This issue affects Apache Tomcat: from 11.0.0 through 11.0.18, from 10.0.0 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.

Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

Database specific

{
    "cpes": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:*"
    ],
    "severity": "High"
}

References

Affected packages

Bitnami / tomcat

Package

Name: tomcat
Purl: pkg:bitnami/tomcat

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

7.0.100

Fixed

9.0.116

Introduced

10.0.0

Fixed

10.1.53

Introduced

11.0.0

Fixed

11.0.19

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-29146.json"