DEBIAN-CVE-2026-43515

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-43515
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2026-43515
Upstream
Published
2026-05-12T16:16:18.553Z
Modified
2026-05-15T09:00:10.766208334Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
[none]
Details

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

References

Affected packages

Debian:11
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Affected versions

9.*
9.0.43-1
9.0.43-2~deb11u1
9.0.43-2~deb11u2
9.0.43-2~deb11u3
9.0.43-2~deb11u4
9.0.43-2~deb11u5
9.0.43-2~deb11u6
9.0.43-2~deb11u7
9.0.43-2~deb11u8
9.0.43-2~deb11u9
9.0.43-2~deb11u10
9.0.43-2~deb11u11
9.0.43-2~deb11u12
9.0.43-2
9.0.43-3
9.0.53-1
9.0.54-1
9.0.55-1
9.0.58-1
9.0.62-1
9.0.63-1
9.0.64-1
9.0.64-2
9.0.65-1
9.0.67-1
9.0.68-1
9.0.68-1.1
9.0.70-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
Debian:12
tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

10.*
10.1.6-1
10.1.6-1+deb12u1
10.1.6-1+deb12u2
10.1.7-1
10.1.8-1
10.1.9-1
10.1.10-1
10.1.13-1
10.1.14-1
10.1.15-1
10.1.16-1
10.1.20-1
10.1.23-1
10.1.25-1~bpo12+1
10.1.25-1
10.1.25-2
10.1.30-1~bpo12+1
10.1.30-1
10.1.31-1
10.1.33-1~bpo12+1
10.1.33-1
10.1.34-0+deb12u1
10.1.34-0+deb12u2
10.1.34-1
10.1.35-1
10.1.40-1~bpo12+1
10.1.40-1
10.1.46-1
10.1.52-1~deb12u1
10.1.52-1~deb13u1
10.1.52-1
10.1.52-2
10.1.54-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
Debian:13
tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

10.*
10.1.40-1
10.1.46-1
10.1.52-1~deb12u1
10.1.52-1~deb13u1
10.1.52-1
10.1.52-2
10.1.54-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
tomcat11

Package

Name
tomcat11
Purl
pkg:deb/debian/tomcat11?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

11.*
11.0.6-1
11.0.11-1
11.0.15-1~deb13u1
11.0.15-1
11.0.18-1
11.0.21-1
11.0.22-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
Debian:14
tomcat10

Package

Name
tomcat10
Purl
pkg:deb/debian/tomcat10?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

10.*
10.1.40-1
10.1.46-1
10.1.52-1~deb12u1
10.1.52-1~deb13u1
10.1.52-1
10.1.52-2
10.1.54-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
tomcat11

Package

Name
tomcat11
Purl
pkg:deb/debian/tomcat11?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

11.*
11.0.6-1
11.0.11-1
11.0.15-1~deb13u1
11.0.15-1
11.0.18-1
11.0.21-1
11.0.22-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/debian/tomcat9?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.70-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2026-43515.json"