Third party libraries known CVE issues

May 2026

postgresql-42.7.10.jar

pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.

42.7.10 and lower

April 2026

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fixes the issue.

11.0.20 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.

11.0.20 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve component of Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the issue.

11.0.20 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-32990

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Improper Input Validation vulnerability in Apache Tomcat due to an incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

11.0.15 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-29146

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.

11.0.19 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-29145

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13. Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

11.0.20 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-29129

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Configured cipher preference order not preserved vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115. Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

11.0.18 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-25854

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Occasional URL redirection to untrusted Site ('Open Redirect') vulnerability in Apache Tomcat via the LoadBalancerDrainingValve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100. Other, unsupported versions may also be affected Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.

11.0.18 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2026-24880

tomcat-embed-core-11.0.14.jar

tomcat-embed-jasper-11.0.14.jar

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Apache Tomcat via invalid chunk extension. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which fix the issue.

11.0.20 and lower

Library upgraded in Stable 2024.02 and newer Stable branches since 4th May 2026

April 2026

CVE-2025-66453

Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.

1.7.14.1 and lower

Library upgraded in 2026.01

April 2026

CVE-2025-70873

An information disclosure issue in the zipfileInflate function in the zipfile extension in SQLite v3.51.1 and earlier allows attackers to obtain heap memory via supplying a crafted ZIP file.

3.51.1 and lower

Library upgraded in 2026.01

April 2026

CVE-2026-34480

Apache Log4j Core's XmlLayout https://logging.apache.org/log4j/2.x/manual/layouts.html#XmlLayout , in versions up to and including 2.25.3, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/#charsets producing invalid XML output whenever a log message or MDC value contains such characters. The impact depends on the StAX implementation in use: * JRE built-in StAX: Forbidden characters are silently written to the output, producing malformed XML. Conforming parsers must reject such documents with a fatal error, which may cause downstream log-processing systems to drop the affected records. * Alternative StAX implementations (e.g., Woodstox https://github.com/FasterXML/woodstox , a transitive dependency of the Jackson XML Dataformat module): An exception is thrown during the logging call, and the log event is never delivered to its intended appender, only to Log4j's internal status logger. Users are advised to upgrade to Apache Log4j Core 2.25.4, which corrects this issue by sanitizing forbidden characters before XML output.

2.25.3 and lower

Library upgraded in 2026.01

April 2026

CVE-2026-33870

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Netty is used in FEWS import functionality where it only uses https client functionality to download data, the risk of this becoming targeted by a DoS attack is extremely low.

4.2; versions prior to 4.2.10 

False positive, but updated to 4.2.12Final MAIN(2026.01)

April 2026

CVE-2026-33871

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit on the number of `CONTINUATION` frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive. Versions 4.1.132.Final and 4.2.10.Final fix the issue.

Netty is used in FEWS import functionality where it only uses https client functionality to download data, the risk of this becoming targeted by a DoS attack is extremely low.

4.2; versions prior to 4.2.10 

False positive, but updated to 4.2.12Final MAIN(2026.01)

March 2026

CVE-2026-24734

Improper Input Validation vulnerability in Apache Tomcat Native, Apache Tomcat. When using an OCSP responder, Tomcat Native (and Tomcat's FFM port of the Tomcat Native code) did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. This issue affects Apache Tomcat Native:  from 1.3.0 through 1.3.4, from 2.0.0 through 2.0.11; Apache Tomcat: from 11.0.0-M1 through 11.0.17, from 10.1.0-M7 through 10.1.51, from 9.0.83 through 9.0.114. The following versions were EOL at the time the CVE was created but are known to be affected: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39. Older EOL versions are not affected. Apache Tomcat Native users are recommended to upgrade to versions 1.3.5 or later or 2.0.12 or later, which fix the issue. Apache Tomcat users are recommended to upgrade to versions 11.0.18 or later, 10.1.52 or later or 9.0.115 or later which fix the issue.

Tomcat embedded which is part of the FEWS installation is normally not setup for https and should be used only for testing purposes within the protection of a local network so that it should never be exposed to the public internet.

 11.0.1; versions up to (excluding) 11.0.18
 
 
 

False positive, but updated to 11.0.18 in MAIN(2026.01)

March 2026

CVE-2025-66614

Improper Input Validation vulnerability. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0-M1 through 9.0.112. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Older EOL versions are not affected. Tomcat did not validate that the host name provided via the SNI extension was the same as the host name provided in the HTTP host header field. If Tomcat was configured with more than one virtual host and the TLS configuration for one of those hosts did not require client certificate authentication but another one did, it was possible for a client to bypass the client certificate authentication by sending different host names in the SNI extension and the HTTP host header field. The vulnerability only applies if client certificate authentication is only enforced at the Connector. It does not apply if client certificate authentication is enforced at the web application. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fix the issue.

Tomcat embedded which is part of the FEWS installation is normally not setup for https and should be used only for testing purposes within the protection of a local network so that it should never be exposed to the public internet.

 11.0.1; versions up to (excluding) 11.0.15
 
 
 

False positive, but updated to 11.0.18 in MAIN(2026.01)

January 2026

This is a bug in a reference program demonstrating how to use zlib. This is not a problem in zlib itself.

ioapi.c and untgz.c are in the contrib directory, and so are not part of zlib. You can contact the authors of those codes if you like, but in any case they are not vulnerabilities in zlib.

All

False positive, no action required

January 2026

CVE-2025-6444
CVE-2020-28042

All

False positive, no action required

December 2025

1.21

28.2

28.2

42.6.0

mssql-jdbc.*.jar

Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

12.10.2, 13.2.1, 12.6.5, 11.2.4, 10.2.4, 12.8.2, 12.2.1, and 12.4.3

Upgrade version if MS-SQL is used in branch

client-1.*.*.jar

ServiceStack FindType Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ServiceStack. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

This library is used only by the Aquaris server import feature and affects only the server side which is a .Net platform based component, Delft-FEWS only uses a java base client component which is not affected.

All

False positive, no action required

protobuf-java-*.jar

Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

This warning goes off triggered by un-versioned references to Google Protobuf-java both in the NetCDF-java libraries and in THREDSS as well as a properly patched version protobuf-java-3.25.5.jar in the FEWS binaries. This is considered to be a bug in the OWASP dependency scanner we cannot fix.protobuf-java-*.jar

All

False positive, no action required

jackson-core-2.13.2.jar
jackson-core-2.14.2.jar

Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

In the open-archive users can not input json, in the FEW webservices user input in json format is disabled by default and should only be configured for authenticated users. In FEWS desktop application the user already has access to the system. There for this is not considered a high risk.

2024.01 and earlier

False positive, no action required

Delft_PI.jar

Delft_Util.jar

Delft_NetCDF_Util.jar

Delft_Jep.jar

mydoggy-res-1.4.3p

An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. This vulnerability consists in a DLL hijacking by replacing x64 shfolder.dll in the installation path, causing an arbitrary code execution.

Adapters

False positive, no action required

Relative Path Traversal vulnerability in Apache Commons VFS before 2.10.0. The FileObject API in Commons VFS has a 'resolveFile' method that takes a 'scope' parameter. Specifying 'NameScope.DESCENDENT' promises that "an exception is thrown if the resolved file is not a descendent of the base file". However, when the path contains encoded ".." characters (for example, "%2E%2E/bar.txt"), it might return file objects that are not a descendent of the base file, without throwing an exception. This issue affects Apache Commons VFS: before 2.10.0. Users are recommended to upgrade to version 2.10.0, which fixes the issue.

This VFS (Virtual File System) library is used only by the data import module of FEWS. The code has been scanned but no calls to the resolveFile method using this specific NameScope are found. Even the possible case where this may be called indirectly should not be a major concern as the file paths used to import data from can only be configured by FEWS configurators and there is no way a remote attacker can interfere with this without first gaining access to the file or database systems used by FEWS in some other way.

2022.01 - current

Upgraded to 
version 2.10.0 in 2025.01 and later branches

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMPurify was vulnerable to prototype pollution. This vulnerability is fixed in 2.4.2.

This is apparently embedded in the swagger test pages provided for testing of the FEWS webservices. These pages should never be open to untrusted/public input. The swagger library has been updated in 2024.02 but this is considered a false positive.

2021.02 - 2024.01

False positive, no action required

Uncontrolled Resource Consumption vulnerability in Apache Commons IO. The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input. This issue affects Apache Commons IO: from 2.0 before 2.14.0. Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

The current source code of both FEWS and the THREDDS release included with the archive have been checked to find that there is no usage whatsoever of the Apache XML related classes, only the XML related classes currently provided by the Java JDK are used.

False positive

CVE-2024-45801

CVE-2024-47875

DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. It has been discovered that malicious HTML using special nesting techniques can bypass the depth checking added to DOMPurify in recent releases. It was also possible to use Prototype Pollution to weaken the depth check. This renders dompurify unable to avoid cross site scripting (XSS) attacks. This issue has been addressed in versions 2.5.4 and 3.1.3 of DOMPurify. All users are advised to upgrade. There are no known workarounds for this vulnerability.

This is apparently embedded in the swagger test pages provided for testing of the FEWS webservices. These pages should never be open to untrusted/public input so the swagger library has been updated in 2024.02 but this is considered a false positive.

2021.02 - 2024.01

False positive, no action required

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions... A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

FEWS uses the Geotools library, not GeoServer, the WFS (Web Feature server) implementation in FEWS is a 'Simple" profile implementation of the WFS standard which is read-only, does not include XPath expression and does not use the vulnerable gt-complex-x.y.jar library reported here, Therefore this is considered a false positive

2021-02 - current

False positive, no action required

CVE-2024-34447

CVE-2024-29857

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

This library is related to the OpenID authentication support in the FEWS web services and admin interface. FEWS only allows the use of certificates from a local truststore which is managed by the system administrators, so the scenario where a certificate is "imported does not apply. Therefore we consider this a false positive.

2021.02 - 2024.01

False positive, no action required

CVE-2023-52428

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

This library is related to the OpenID authentication support in the FEWS web services and admin interface. FEWS does not use the PBKDF2 component for password decryption. Therefore we consider this a false positive.

2022.02 - 2024.01

False positive, no action required

CVE-2022-37434

CVE-2002-0059

CVE-2018-25032

Several security issues in zlib versions 1.2.12 and earlier are reported.

FEWS uses a more recent version (1.2.13 - 1.3.1) but apparently the OWASP dependency checker is not able to detect this, therefore we consider this a false alarm.

2022.02 - current

False positive, no action required

derby-10.16.1.1.jar

A cleverly devised username might bypass LDAP authentication checks. In LDAP-authenticated Derby installations, this could let an attacker fill up the disk by creating junk Derby databases. In LDAP-authenticated Derby installations, this could also allow the attacker to execute malware which was visible to and executable by the account which booted the Derby server. 

FEWS only uses embedded Derby in local Standalone-installations, embedded Derby does not support LDAP and is not accessible over a network in such configurations. Therefore this warning can safely be discarded as a false positive.

2021.02 - current

False positive, no action required

CVE-2023-36052

CVE-2024-43591

azure-core-*.jar
azure-identity-*.jar

Azure CLI REST Command Information Disclosure Vulnerability

The Microsoft Security Response Center (MSRC) was made aware of a vulnerability where Azure Command-Line Interface (CLI) could expose sensitive information, including credentials, through GitHub Actions logs. The researcher, from Palo Alto Networks Prisma Cloud, found that Azure CLI commands could be used to show sensitive data and output to Continuous Integration and Continuous Deployment (CI/CD) logs. Microsoft recommends that customers update to the latest version of Azure CLI (2.54) and follow the guidance provided below to help prevent inadvertently exposing secrets through CI/CD logs. A notification in the Azure Portal was sent to customers who recently used Azure CLI commands informing them of an available update.

2032.02 - current

False positive, no action required

azure-identity-*.jar

Azure Identity SDK Remote Code Execution Vulnerability

Above is the only information supplied

For the current 1.11.0 version we consider this a false alert for a vulnerability that needs to be addressed in the .net based Azure SDK. so it will be suppressed, specifically for CVE-2023-36415

2021.02 - current

zlib1.dll

libz.so.1.2.13

MiniZip in zlib through 1.3 has an integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_64 via a long filename, comment, or extra field. NOTE: MiniZip is not a supported part of the zlib product.

The main author, Mark Adler states (github):
Minizip is not part of zlib. The source code is provided in the contrib directory of the zlib distribution, along with several other such contributions, as a courtesy. This is not a zlib vulnerability.
Additionally, zlib.def has been checked to verify that at least the windows version contains no minizip methods.

2022.02 - current

False positive, no action required.

netty-transport-4.1.91.Final.jar

netty-all-4.1.79.Final.jar

A vulnerability was found in the Hot Rod client provided by the Netty library. This security issue occurs as the Hot Rod client does not enable hostname validation when using TLS, possibly resulting in a man-in-the-middle (MITM) attack.
Netty is used by FEWS in the context of Microsoft Azure (AzureIotHub import) and THREDDS which is used by the archive server.

Hot Rod is a very specific TCP client server protocol used by the Jboss Infinispan product. There is no indication of any kind that the Hot Rod protocol is used by FEWS or THREDDS in any way so this is considered a false positive warning.

2020.02 - current

False positive. No action required.

spring-boot-3.0.7.jar

In Spring for Apache Kafka 3.0.9 and earlier and versions 2.9.10 and earlier, a possible deserialization attack vector existed, but only if unusual configuration was applied. An attacker would have to construct a malicious serialized object in one of the deserialization exception record headers. Specifically, an application is vulnerable when all of the following are true:

- The user does not configure an ErrorHandlingDeserializer for the key and/or value of the record

- The user explicitly sets container properties checkDeserExWhenKeyNull and/or checkDeserExWhenValueNull container properties to true.

- The user allows untrusted sources to publish to a Kafka topic By default, these properties are false, and the container only attempts to deserialize the headers if an ErrorHandlingDeserializer is configured. The ErrorHandlingDeserializer prevents the vulnerability by removing any such malicious headers before processing the record.

Two out of three conditions mentioned in the description are not met in the case of FEWS. This library is currently only used for the admin interface, which should never be made available for use by "untrusted sources" over the internet.

2020.02 - 2023.01

False positive. No action required.

gt-26.4.jar
gt-20.0.jar
net.opengis.fes-20.0.jar

The GeoTools implementation of the OpenGIS Filter Encoding Standard (FES) has been found to contain SQL Injection Vulnerabilities when executing OGC Filters with JDBCDataStore implementations.

Delft-FEWS has no such JDBCDataStore implementation and the Filter functionality has been included only to support a client side implementation of the OpenGIS WFS interface. FEWS only uses this to implement OpenGIS WFS viewing capability, no server side WFS or FES implementation that could be prone to SQL injection exists in FEWS.

2019-02 -
2022.02

2023.01 and later have been upgraded to version 2.7.2

False positive, the report mentions that  version 0.5.4 fixes the problem yet the scanners still flags the current version. Also this is only used in adapters where "unspecified vectors" are extremely unlikely to play any role.

Feb 2023

August 2022

postgresql-42.4.1.jar

postgresql-42.3.3.jar

PG 42.3.3 was flagged in Aug 2022.

PG 42.4.1 was flagged only since Feb 2023.

The PGJDBC implementation of the `java.sql.ResultRow.refreshRow()` method is not performing escaping of column names so a malicious column name that contains a statement terminator, e.g. `;`, could lead to SQL injection. 

2022.01 - 2022.02

False positive. 2022.02 and 2023.01 have been upgraded to 42.5.3.

The spring framework allows to use a http invoker that uses object serialization that may be vulnerable for Remote Code Execution.

https://docs.spring.io/spring-framework/docs/current/reference/html/integration.html#remoting-httpinvoker. 

In the thymeleaf-spring5:3.0.12 component, thymeleaf combined with specific scenarios in template injection may lead to remote code execution.

Comment of Thymeleaf developer: I'd like to explain that CVE-2021-43466 only affects those applications that contain controllers or controller configurations that take a request parameter and directly use it, without previous filtering, as the name of the view to be rendered

CVE-2021-42340,

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.

2021.02 -
2022.02

CVE-2021-37136,

CVE-2021-37137

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack. 

and

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Dependency of ucar netcdf libraries. JDOM  library has been upgraded to: jdom2-2.0.6.1.jar since 2022.01.

Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.
CWE-863 Incorrect Authorization

CVE-2025-1647

bootstrap.min.js

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.

No upgrade planned.

CVE-2024-6485

bootstrap.min.js

A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.

No upgrade planned.

CVE-2022-24197

CVE-2022-24196

itextpdf-5.5.13.4.jar

iText v7.1.17 was discovered to contain a stack-based buffer overflow via the component ByteBuffer.append, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

iText v7.1.17, up to (exluding)": 7.1.18 and 7.2.2 was discovered to contain an out-of-memory error via the component readStreamBytesRaw, which allows attackers to cause a Denial of Service (DoS) via a crafted PDF file.

Updated to 5.5.13.5 in Stable 2026.01

Updated to 2.11 in Stable 2026.01

Updated to 2.3.10 in Stable 2026.01

tomcat-embed-core-11.0.14.jar

Updated to 11.0.18 in Stable 2026.01

netty-all-4.1.126.Final.jar

Updated to 1.18.2 in Stable 2026.01

FEWS-34519

Updated to 1.3.2 in Stable2026.01

FEWS-34288

False positive

Updated to 2.15.4 in stable 2023.01 and newer branches, 

Upgrade to 2025.02

Up to 2022-03-24

CVE-2025-68280

Improper Restriction of XML External Entity Reference vulnerability in Apache SIS. It is possible to write XML files in such a way that, when parsed by Apache SIS, an XML file reveals to the attacker the content of a local file on the server running Apache SIS. This vulnerability impacts the following SIS services: * Reading of GeoTIFF files having the GEO_METADATA tag defined by the Defense Geospatial Information Working Group (DGIWG). * Parsing of ISO 19115 metadata in XML format. * Parsing of Coordinate Reference Systems defined in the GML format. * Parsing of files in GPS Exchange Format (GPX). This issue affects Apache SIS from versions 0.4 through 1.5 inclusive. Users are recommended to upgrade to version 1.6, which will fix the issue. In the meantime, the security vulnerability can be avoided by launching Java with the javax.xml.accessExternalDTD system property sets to a comma-separated list of authorized protocols. For example: java -Djavax.xml.accessExternalDTD="" ...

CVE-2023-39017 

quartz-jobs 2.3.2 and below was discovered to contain a code injection vulnerability in the component org.quartz.jobs.ee.jms.SendQueueMessageJob.execute.
This vulnerability is exploited via passing an unchecked argument.
This is a indirect dependency as this library is used by the THREDDS data service which is part of the archive.

The source code of the current 4.6 THREDDS release has been checked to make sure that this does not use the SendQueueMessageJob class in any way so it is considered a false positive within the context of FEWS.

CVE-2023-2976

CVE-2023-20860

CVE-2020-13936

FEWS-29331,FEWS-29332, FEWS-29334 and FEWS-29335

FEWS-29336

CVE-2022-3510

A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

FEWS-29337

Fixed in Thredds 5.5 -  FEWS 2023.01

CVE-2022-3171

FEWS-29337

CVE-2022-45688

FEWS-29342

CVE-2023-5072

FEWS-29342

CVE-2023-38286

FEWS-29646

CVE-2021-33813

FEWS-29346

CVE-2026-27727

1. FEWS-34612

CVE-2026-33186

gRPC-Go is the Go language implementation of gRPC. Versions prior to 1.79.3 have an authorization bypass resulting from improper input validation of the HTTP/2 `:path` pseudo-header. The gRPC-Go server was too lenient in its routing logic, accepting requests where the `:path` omitted the mandatory leading slash (e.g., `Service/Method` instead of `/Service/Method`). While the server successfully routed these requests to the correct handler, authorization interceptors (including the official `grpc/authz` package) evaluated the raw, non-canonical path string. Consequently, "deny" rules defined using canonical paths (starting with `/`) failed to match the incoming request, allowing it to bypass the policy if a fallback "allow" rule was present. This affects gRPC-Go servers that use path-based authorization interceptors, such as the official RBAC implementation in `google.golang.org/grpc/authz` or custom interceptors relying on `info.FullMethod` or `grpc.Method(ctx)`; AND that have a security policy contains specific "deny" rules for canonical paths but allows other requests by default (a fallback "allow" rule). The vulnerability is exploitable by an attacker who can send raw HTTP/2 frames with malformed `:path` headers directly to the gRPC server. The fix in version 1.79.3 ensures that any request with a `:path` that does not start with a leading slash is immediately rejected with a `codes.Unimplemented` error, preventing it from reaching authorization interceptors or handlers with a non-canonical path string. While upgrading is the most secure and recommended path, users can mitigate the vulnerability using one of the following methods: Use a validating interceptor (recommended mitigation); infrastructure-level normalization; and/or policy hardening.

None needed

CVE-2008-0207

Multiple cross-site scripting (XSS) vulnerabilities in PRO-Search 0.17 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) prot, (2) host, (3) path, (4) name, (5) ext, (6) size, (7) search_days, or (8) show_page parameter to the default URI.

CVE-2008-0199

PRO-Search 0.17 and earlier allows remote attackers to cause a denial of service via certain values of the show_page and time parameters to the default URI.

CVE-2025-67735
CVE-2025-25193
CVE-2024-47535
CVE-2024-29025
CVE-2023-34462
CVE-2022-24823
CVE-2021-43797
CVE-2021-21409
CVE-2021-21295
CVE-2021-21290
CVE-2014-3488

Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling when `HttpRequestEncoder` is used without proper sanitization of the URI. Any application / framework using `HttpRequestEncoder` can be subject to be abused to perform request smuggling using CRLF injection. Versions 4.1.129.Final and 4.2.8.Final fix the issue.

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crashes. This vulnerability is fixed in 4.1.115.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `SniHandler` can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the `SniHandler` to allocate 16MB of heap. The `SniHandler` class is a handler that waits for the TLS handshake to configure a `SslHandler` according to the indicated server name by the `ClientHello` record. For this matter it allocates a `ByteBuf` using the value defined in the `ClientHello` record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the `SslClientHelloHandler`. This vulnerability has been fixed in version 4.1.94.Final.

Netty is an open-source, asynchronous event-driven network application framework. The package `io.netty:netty-codec-http` prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own `java.io.tmpdir` when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications (component: Rules Framework). Supported versions that are affected are 8.0.6-8.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Analytical Applications Infrastructure. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Financial Services Analytical Applications Infrastructure, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Financial Services Analytical Applications Infrastructure accessible data as well as unauthorized read access to a subset of Oracle Financial Services Analytical Applications Infrastructure accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`, `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind `Http2StreamFrameToHttpObjectCodec`.

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.

False positive.

CVE-2025-58057

CVE-2025-58056

CVE-2025-55163

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with specially crafted input, BrotliDecoder and certain other decompression decoders will allocate a large number of reachable byte buffers, which can lead to denial of service. BrotliDecoder.decompress has no limit in how often it calls pull, decompressing data 64K bytes at a time. The buffers are saved in the output list, and remain reachable until OOM is hit. This is fixed in versions 4.1.125.Final of netty-codec and 4.2.5.Final of netty-codec-compression.

Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a chunk-size line terminator, regardless of a preceding carriage return (CR), instead of requiring CRLF per HTTP/1.1 standards. When combined with reverse proxies that parse LF differently (treating it as part of the chunk extension), attackers can craft requests that the proxy sees as one request but Netty processes as two, enabling request smuggling attacks. This is fixed in versions 4.1.125.Final and 4.2.5.Final.

Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit - which results in resource exhaustion and distributed denial of service. This issue has been patched in versions 4.1.124.Final and 4.2.4.Final.

False positive.

CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead to a native crash. Version 4.1.118.Final contains a patch. As workaround its possible to either disable the usage of the native SSLEngine or change the code manually.

CVE-2024-43794

CVE-2024-39901

CVE-2023-45807

OpenSearch Dashboards Security Plugin adds a configuration management UI for the OpenSearch Security features to OpenSearch Dashboards. Improper validation of the nextUrl parameter can lead to external redirect on login to OpenSearch-Dashboards for specially crafted parameters. A patch is available in 1.3.19 and 2.16.0 for this issue.

OpenSearch Observability is collection of plugins and applications that visualize data-driven events. An issue in the OpenSearch observability plugins allows unintended access to private tenant resources like notebooks. The system did not properly check if the user was the resource author when accessing resources in a private tenant, leading to potential data being revealed. The patches are included in OpenSearch 2.14.

OpenSearch is a community-driven, open source fork of Elasticsearch and Kibana following the license change in early 2021. There is an issue with the implementation of tenant permissions in OpenSearch Dashboards where authenticated users with read-only access to a tenant can perform create, edit and delete operations on index metadata of dashboards and visualizations in that tenant, potentially rendering them unavailable. This issue does not affect index data, only metadata. Dashboards correctly enforces read-only permissions when indexing and updating documents. This issue does not provide additional read access to data users don’t already have. This issue can be mitigated by disabling the tenants functionality for the cluster. Versions 1.3.14 and 2.11.0 contain a fix for this issue.

CVE will no longer be reported when version is upgraded to 2.16 but this can only be done when we move to Java 21

CVE-2015-2156

CVE-2019-16869

CVE-2019-20445

CVE-2022-41881

Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.

Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a custom HaProxyMessageDecoder.

CVE-2023-44487

CVE-2019-20444

CVE-2022-3064

April 2026

faces/context/PartialViewContextImpl.java in Eclipse Mojarra, as used in Mojarra for Eclipse EE4J before 2.3.10 and Mojarra JavaServer Faces before 2.2.20, allows Reflected XSS because a client window field is mishandled.

April 2026

Directory traversal in Eclipse Mojarra before 2.3.14 allows attackers to read arbitrary files via the loc parameter or con parameter.

April 2026

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.

January 2026

This is a bug in a reference program demonstrating how to use zlib. This is not a problem in zlib itself.

ioapi.c and untgz.c are in the contrib directory, and so are not part of zlib. You can contact the authors of those codes if you like, but in any case they are not vulnerabilities in zlib.

False positive

CVE-2022-31129

CVE-2023-22467

FEWS-29358

FEWS-31167

FEWS-24730

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Tomcat installations used for the Hosting of the FEWS admin interface and webservices are normally the responsibility of the end users, and should by all means never be exposed to the public internet other than via a remote proxy or firewall to protect against TLS based attacks.
The embedded Tomcat which is part of the FEWS explorer user interface does not have a write enabled.

• 10.1.0-M1 - 10.1.24
• 9.0.13 - 9.0.89

2022.01 - 2024.02

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat.

This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98.

If all of the following were true, a malicious user was able to view       security sensitive files and/or inject content into those files:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads
- attacker knowledge of the names of security sensitive files being uploaded
- the security sensitive files also being uploaded via partial PUT

If all of the following were true, a malicious user was able to       perform remote code execution:
- writes enabled for the default servlet (disabled by default)
- support for partial PUT (enabled by default)
- application was using Tomcat's file based session persistence with the default storage location
- application included a library that may be leveraged in a deserialization attack

Tomcat installations used for the Hosting of the FEWS admin interface and webservices are normally the responsibility of the end users, and should by all means never be exposed to the public internet other than via a remote proxy or firewall to protect against TLS based attacks.
The embedded Tomcat which is part of the FEWS explorer user interface does not have a write enabled.

• 10.1.0-M1 - 10.1.34
• 9.0.0.M1 - 9.0.98

2022.01 - 2024.02

Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. Older, unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.

Tomcat embedded which is part of the FEWS installation is normally not setup for https and should be used only for testing purposes within the protection of a local network so that it should never be exposed to the public internet.

Tomcat installations used for the Hosting of the FEWS admin interface and webservices are normally the responsibility of the end users, and should by all means never be exposed to the public internet other than via a remote proxy or firewall to protect against TLS based attacks.

• 10.1.0 - 10.1.24
• 9.0.13 - 9.0.89

2022.01 - 2022.02

Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability during JSP compilation in Apache Tomcat permits an RCE on case insensitive file systems when the default servlet is enabled for write (non-default configuration).

This applies only to Tomcat server or tomcat embedded if writing files to the server is enabled, which is considered a highly unlikely scenario that would be the responsibility of the Tomcat server administrator. In the Tomcat embedded instance used by FEWS this is not the case. This is considered a false positive.

• 10.1.0 - 10.1.33
• 9.0.0.M1 - 9.0.97

2021.02 - 2024.02

CVE-2023-456589

Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

• 10.1.0 - 10.1.15
• 9.0.0 - 9.0.82

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

CVE-2023-42795

When recycling various internal objects, including the request and the response, prior to re-use by the next request/response, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next.

• 10.1.0 - 10.1.13
• 9.0.0 - 9.0.80

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

CVE-2023-44487

Tomcat's HTTP/2 implementation was vulnerable to the rapid reset attack.

The denial of service typically manifested as an OutOfMemoryError.

• 10.1.0 - 10.1.13
• 9.0.0 - 9.0.80

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

CVE-2023-45648

Tomcat did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy.

• 10.1.0 - 10.1.13
• 9.0.0 - 9.0.80

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

• Apache Tomcat 10.1.8
• Apache Tomcat 9.0.74

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.

• Apache Tomcat 10.1.5 to 10.1.7
• Apache Tomcat 9.0.71 to 9.0.73

Upgrade to latest version of Apache Tomcat.

Note: Delft-FEWS releases < 2023.01 require Apache Tomcat 9, release >= 2023.01 require Apache Tomcat 10.