chore(security): pin tomcat-embed-core 10.1.55 — Apache Tomcat CVE fixes (v0.1.25.13)#71
Merged
Merged
Conversation
…xes (v0.1.25.13) Trivy flagged `tomcat-embed-core 10.1.54` (SB 3.5.14's managed version) with 3 CRITICAL + 3 HIGH + 1 LOW Apache Tomcat CVEs between the last clean main scan (2026-05-11) and 2026-05-24. Re-introduce a property override (same shape as the v0.1.25.10 10.1.54 pin, dropped at v0.1.25.12 when SB 3.5.14 caught up). CVEs (all in tomcat-embed-core 10.1.0-M1..10.1.54, all fixed in 10.1.55): - CVE-2026-43515 CRITICAL — Improper Authorization (method constraints) - CVE-2026-43512 CRITICAL — Authentication Bypass (digest auth) - CVE-2026-41293 CRITICAL — Improper Input Validation - CVE-2026-43513 HIGH — Case sensitivity in LockOutRealm - CVE-2026-42498 HIGH — HTTP Auth header leak in WebSocket - CVE-2026-41284 HIGH — Resource allocation DoS - CVE-2026-43514 LOW — Observable timing in AJP secret compare Property-override only — no code, spec, or wire change. revision bumps 0.1.25.12 → 0.1.25.13. Override notes: - Spring Boot's spring-boot-dependencies BOM uses `tomcat.version` to manage all tomcat-embed-* artifacts, so one property covers tomcat-embed-core, -el, and -websocket transitively. - Same pattern as v0.1.25.10 (10.1.54 pin). Remove again once SB ships a BOM with 10.1.55+. AUDIT.md updated per project rule "always update AUDIT.md files when making changes to server, admin, client repos." Companion change in cycles-server-admin (chore/bump-tomcat-10.1.55-cves branch, v0.1.25.42) covers the same CVE set in the admin service.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Re-introduce
<tomcat.version>10.1.55</tomcat.version>property override to fix 3 CRITICAL + 3 HIGH + 1 LOW Apache Tomcat CVEs that trivy's database flagged againsttomcat-embed-core 10.1.54(Spring Boot 3.5.14's managed version) between the last clean main scan (2026-05-11) and 2026-05-24.Same pin shape as the v0.1.25.10 10.1.54 override (dropped at v0.1.25.12 when SB 3.5.14's BOM caught up to managing 10.1.54 directly).
CVEs (all fixed in tomcat-embed-core 10.1.55)
Change
Pom property addition (same shape as the v0.1.25.10 pin):
Plus
revisionbump0.1.25.12→0.1.25.13.Scope
tomcat.versionto manage alltomcat-embed-*artifacts, so one property coverstomcat-embed-core,tomcat-embed-el, andtomcat-embed-websockettransitively.Related
Test plan