[<prev] [next>] [day] [month] [year] [list]
Message-ID: <95b627e0-f5b5-48e7-8625-c3a9bf32b6b1@apache.org>
Date: Thu, 9 Apr 2026 20:49:18 +0100
From: Mark Thomas <markt@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-29146: Apache Tomcat: EncryptInterceptor vulnerable to
padding oracle attack by default
Severity: important
Affected versions:
- Apache Tomcat 11.0.0-M1 through 11.0.18
- Apache Tomcat 10.0.0-M1 through 10.1.52
- Apache Tomcat 9.0.13 through 9.0.115
- Apache Tomcat 8.5.38 through 8.5.100
- Apache Tomcat 7.0.100 through 7.0.109
Description:
Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with
default configuration.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from
10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38
through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommended to upgrade to version 11.0.19, 10.1.53 and
9.0.116, which fixes the issue.
Credit:
Uri Katz and Avi Lumelsky (Oligo Security) (finder)
References:
https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w
https://tomcat.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-29146
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
