diff --git a/advisories/github-reviewed/2026/04/GHSA-h468-7pvh-8vr8/GHSA-h468-7pvh-8vr8.json b/advisories/github-reviewed/2026/04/GHSA-h468-7pvh-8vr8/GHSA-h468-7pvh-8vr8.json index e4c088746a8fd..5e86f107d8867 100644 --- a/advisories/github-reviewed/2026/04/GHSA-h468-7pvh-8vr8/GHSA-h468-7pvh-8vr8.json +++ b/advisories/github-reviewed/2026/04/GHSA-h468-7pvh-8vr8/GHSA-h468-7pvh-8vr8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h468-7pvh-8vr8", - "modified": "2026-04-10T21:32:09Z", + "modified": "2026-04-10T21:32:12Z", "published": "2026-04-09T21:31:29Z", "aliases": [ "CVE-2026-29146" @@ -9,10 +9,6 @@ "summary": "Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor", "details": "Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor with default configuration.\n\nThis issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.\n\nUsers are recommended to upgrade to version 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.", "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" - }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" @@ -22,7 +18,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-catalina" + "name": "org.apache.tomcat:tomcat-tribes" }, "ranges": [ { @@ -41,7 +37,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-catalina" + "name": "org.apache.tomcat:tomcat-tribes" }, "ranges": [ { @@ -60,7 +56,7 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat:tomcat-catalina" + "name": "org.apache.tomcat:tomcat-tribes" }, "ranges": [ { @@ -136,17 +132,17 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat.embed:tomcat-embed-core" + "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "9.0.13" + "introduced": "8.5.38" }, { - "fixed": "9.0.116" + "last_affected": "8.5.100" } ] } @@ -155,17 +151,17 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat.embed:tomcat-embed-core" + "name": "org.apache.tomcat:tomcat" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "10.1.50" + "introduced": "7.0.100" }, { - "fixed": "10.1.53" + "last_affected": "7.0.109" } ] } @@ -174,17 +170,36 @@ { "package": { "ecosystem": "Maven", - "name": "org.apache.tomcat.embed:tomcat-embed-core" + "name": "org.apache.tomcat:tomcat-tribes" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { - "introduced": "11.0.0-M1" + "introduced": "8.5.38" }, { - "fixed": "11.0.19" + "last_affected": "8.5.100" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Maven", + "name": "org.apache.tomcat:tomcat-tribes" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "7.0.100" + }, + { + "last_affected": "7.0.109" } ] } @@ -204,6 +219,10 @@ "type": "WEB", "url": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w" }, + { + "type": "WEB", + "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-29146" + }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2026/04/09/24"