chore(security): pin tomcat-embed-core 10.1.55 — Apache Tomcat CVE fixes (v0.1.25.42)#179
Merged
Merged
Conversation
…xes (v0.1.25.42) Trivy flagged `tomcat-embed-core 10.1.54` (SB 3.5.14's managed version) with 3 CRITICAL + 3 HIGH + 1 LOW Apache Tomcat CVEs between the last clean main scan (2026-05-11) and 2026-05-24. Re-introduce a property override (mirroring the existing `commons-lang3.version 3.18.0` pattern) to pick up the 10.1.55 fix. CVEs (all in tomcat-embed-core 10.1.0-M1..10.1.54, all fixed in 10.1.55): - CVE-2026-43515 CRITICAL — Improper Authorization (method constraints) - CVE-2026-43512 CRITICAL — Authentication Bypass (digest auth) - CVE-2026-41293 CRITICAL — Improper Input Validation - CVE-2026-43513 HIGH — Case sensitivity in LockOutRealm - CVE-2026-42498 HIGH — HTTP Auth header leak in WebSocket - CVE-2026-41284 HIGH — Resource allocation DoS - CVE-2026-43514 LOW — Observable timing in AJP secret compare Property-override only — no code, spec, or wire change. revision bumps 0.1.25.41 → 0.1.25.42 to match the existing CVE-pin release pattern (cf. v0.1.25.33 SB/Tomcat CVE bump, v0.1.25.34 commons-lang3 CVE pin). Override notes: - Spring Boot's spring-boot-dependencies BOM uses `tomcat.version` to manage all tomcat-embed-* artifacts, so one property covers tomcat-embed-core, -el, and -websocket transitively. - Previously present pre-v0.1.25.41; dropped when SB 3.5.14 began managing 10.1.54 directly. Re-add now that 10.1.54 is vulnerable. Remove again once SB ships a BOM with 10.1.55+. AUDIT.md updated per project rule "always update AUDIT.md files when making changes to server, admin, client repos."
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Re-introduce
<tomcat.version>10.1.55</tomcat.version>property override to fix 3 CRITICAL + 3 HIGH + 1 LOW Apache Tomcat CVEs that trivy's database flagged againsttomcat-embed-core 10.1.54(Spring Boot 3.5.14's managed version) between the last clean main scan (2026-05-11) and 2026-05-24.CVEs (all fixed in tomcat-embed-core 10.1.55)
Change
Pom property addition (mirrors existing
commons-lang3.version 3.18.0CVE-pin pattern in the same file):Plus
revisionbump0.1.25.41→0.1.25.42to match the existing CVE-pin release pattern (cf. v0.1.25.33 SB/Tomcat CVE bump, v0.1.25.34 commons-lang3 CVE pin).Scope
tomcat.versionto manage alltomcat-embed-*artifacts, so one property coverstomcat-embed-core,tomcat-embed-el, andtomcat-embed-websockettransitively.Related
chore/bump-tomcat-10.1.55-cves, v0.1.25.13.push:mainscan uploads a clean SARIF under the same category.Test plan
commons-lang3.versionpin (same comment shape, same removal trigger).