• Products
  • Announcements
  • Release Notes

Service Status

All Systems Operational
Deliver: operational
Customer Portal: operational
Customer Support: operational

CVEs and Vulnerabilities on Your Server

Security scanning software can flag the Innovo Tomcat instance for vulnerabilities. However, based on our configuration, those vulnerabilities do not affect our installation.

Here are the common CVE's reported with explanations on why they do not affect our implementation:

If you have a CVE or vulnerability that isn't included on this list, please reach out to our Support Team with details.

2016
  • CVE-2016-4055
    • Moment.js has not been added to, or included with, the Innovo Service, so this vulnerability is not exploitable. It is possible another Tomcat instance or application on the server uses Moment.js, causing it to appear on a scan, but it is not part of the Innovo Service therefore our installation is not affected by this vulnerability.
2019
  • CVE-2019-8442
    • These CVEs affect JIRA libraries. We do not include any JIRA libraries in our Tomcat instance, so this issue should not affect the Innovo Apps and Services.
  • CVE-2019-17571
    • This vulnerability affects Log4J versions 1.2-1.2.17. Our application is using Log4J version 2.16.0, therefore our installation is not affected by this vulnerability.
2020
  • CVE-2020-9484
    • This vulnerability affects Tomcat instances that have a configured Apache FileStore. Our Tomcat configuration does not use any Apache FileStores therefore our installation is not affected by this vulnerability.
2021
  • CVE-2021-30639
    • This issue states: "Applications that do not use non-blocking I/O are not exposed to this vulnerability". Our application does not expose any endpoints as non-blocking I/O endpoints. All of our transactions are standard blocking HTTP transactions, so our configuration should not be affected by this issue.
  • CVE-2021-44228
    • "From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed.", according to the CVE details. The Innovo Apps and Services will utilize the 2.16 version of Log4j, meaning that this vulnerability should not apply nor be exploitable.
  • CVE-2021-44832
    • This vulnerability specifically mentions targeting configurations that use a "JDBC Appender with a JNDI LDAP data source URI". We do not use JDBC appenders. That is an appender that logs to an actual SQL database. We only use the basic FileAppender which writes our log files as plain-text files to our Tomcat/logs directory under your Innovo installation. Because of this, the vulnerability mentioned in this CVE does not affect the installation on your system.
  • CVE-2021-45046
    • "Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.", according to the CVE details. The Innovo Apps and Services will utilize the 2.16 version of Log4j, meaning that this vulnerability should not apply nor be exploitable.
2022
  • CVE-2022-21549
    • The description for these vulnerabilities specifically state: "This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.". Our application does not use Java Web Start, Java applets, or any other deployment mechanism that loads untrusted code, and it does not rely on the Java sandbox. Therefore our installation is not affected by these vulnerabilities.
  • CVE-2022-22963
    • This CVE affect SpringCloud Libraries. We do not include any SpringCloud libraries in our Tomcat instance, so this issue should not affect the Innovo Apps and Services.
  • CVE-2022-22965
    • This vulnerability applies to app instances that are using either Spring MVC or Spring WebFlux. Our application does not use any Spring frameworks therefore our installation is not affected by this vulnerability.
  • CVE-2022-23181
    • Based on the information in that link, this issue specifically states, "This issue is only exploitable when Tomcat is configured to persist sessions using the FileStore.". We do not use any form of persistent sessions in our application. All our transactions are stateless, so we don't even keep transaction state in memory between calls. We don't use any FileStore's in our app's configuration, so this issue doesn't affect our current configuration.
  • CVE-2022-25647
    • This vulnerability is related to the com.google.code.gson serialization library. Our application does not use this library, therefore our installation is not affected by this vulnerability.
  • CVE-2022-29885
    • This vulnerability affects Tomcat configurations that are running in a cluster over an untrusted network. We do not have our Tomcat instance configured for clustering, and even disable the default AJP port that is typically opened for Apache <-> Tomcat communication (typically used for clustering/high availability routing). Therefore, our installation is not affected by this vulnerability.
  • CVE-2022-34169
    • This vulnerability is related to the Xlatan XSLT generation library. We do not use the Xlatan library, or any other code generation libraries, therefore our installation is not affected by this vulnerability.
  • CVE-2022-34305
    • Based on the official ticket, this vulnerability only affects the default example web application. We have removed all default sample / management webapps that come by default with Tomcat, so our installation is not affected by this vulnerability.
  • CVE-2022-42252
    • Based on the official description, this vulnerability is only applicable when all of the following conditions are met: 1. You have Tomcat configured with the rejectIllegalHeader parameter set to False. 2. The Tomcat instance is behind a reverse proxy that also fails to reject the illegal header.
  • CVE-2022-45143
    • This vulnerability affects Tomcat configurations that use the JsonErrorReportValve to return generic HTTP errors as JSON instead of HTML. We do not use the JsonErrorReportValve, therefore our installation is not affected by this vulnerability.
  • CVE-2022-54677
    • The official ticket for this vulnerability explicitly states that it is a "vulnerability in the examples web application provided with Apache Tomcat". We have removed all example / management webapps that come by default with Tomcat, so our installation is not affected by this vulnerability.
2023
  • CVE-2023-24998
    • This vulnerability only affects Tomcat configurations that use the Apache Commons FileUpload library. Our configuration does not include this library, therefore our installation is not affected by this vulnerability.
  • CVE-2023-28708
    • This vulnerability affects applications configured to use a RemoteIpFilter to manage request sending an X-Forwarded-Proto HTTP header. It involves the possibility of exposing the session cookie for the request to external sources. First, our application is not configured to use a RemoteIpFilter. Second, all of our API calls are stateless, and do not use HTTP sessions, so there is no HTTP session cookie to be exposed. Therefore, our installation is not affected by this vulnerability.
  • CVE-2023-34981
    • This vulnerability affects Tomcat instances that are running behind an Apache HTTP server proxy using AJP connectors. Since we do not run in this configuration we have disabled all AJP connectors in our configuration, therefore, our installation is not affected by this vulnerability.
  • CVE-2023-41080
    • The description of this vulnerability states that the vulnerability is limited to the ROOT (default) web application. We do not include any of the default Tomcat web applications with our installation, therefore the ROOT (default) web application is not deployed. This means that our installation is not affected by this vulnerability.
  • CVE-2023-42794
    • This vulnerability affects the Commons FileUpload component. Our application does not expose any endpoints for direct file upload and does not even reference the Commons FileUpload component. Therefore, our installation is not affected by this vulnerability.
  • CVE-2023-42795
    • While this one could technically affect our application, the risk seems lower than the overall vulnerability report for us. Since we do not expose any public API that we document and allow third parties to use, nor any public web front end that end users access, all of our endpoints are constrained to our internal apps. Our apps don't rely on any internal request/response state, and even if they did hit the case for this error it should be unlikely to cause an error in the Apps.
  • CVE-2023-44487
    • This vulnerability affects the Tomcat HTTP/2 protocol implementation. In the version of Tomcat that our installation is running, you must explicitly enable the HTTP/2 protocol in the server configuration files. Since our application does not use the HTTP/2 protocol, we do not have this protocol enabled in our installation. This means that our installation is not affected by this vulnerability.
  • CVE-2023-45648
    • This vulnerability is related to input validation, specifically when running in a reverse proxy configuration. As our application is not a true web application, we have no endpoints expecting form data. Combined with the fact that we do not run our application in a reverse proxy configuration means our application is not affected by this vulnerability.
  • CVE-2023-46589
    • These vulnerabilities are related to input validation, specifically when running in a reverse proxy configuration. As our application is not a true web application, we have no endpoints expecting form data. Combined with the fact that we do not run our application in a reverse proxy configuration means our application is not affected by this vulnerability.
2024
  • CVE-2024-23672
    • This vulnerability affects public WebSocket endpoints. Since we do not expose any public WebSocket endpoints, this vulnerability should not be exploitable.
  • CVE-2024-24549
    • This vulnerability affects HTTP/2 processing. HTTP/2 processing must be explicitly enabled based on the server settings, and we do not enable HTTP/2 processing. Since we do not have a public-facing web interface, we have no need for HTTP/2, and therefore this vulnerability should not affect the Innovo Tomcat Instance.
  • CVE-2024-34750
    • This vulnerability requires HTTP/2 to be enabled. Our application does not enable HTTP/2 processing, therefore our installation is not affected by this vulnerability.
  • CVE-2024-38286
    • There is not an official entry in the NIST database for this CVE yet. From the details mentioned on the Apache mailing list, this vulnerability only affects applications that are using TLS 1.3. The Innovo Applications and Services have only been enabled to use TLS 1.2, so this vulnerability should not affect them.
  • CVE-2024-50379
    • This vulnerability is only applicable when the default servlet is enabled for write (non-default configuration). We do not configure the default servlet to enable write access, therefore our application is not affected by this vulnerability.
  • CVE-2024-52316
    • This exploit relies on the use of Jakarta Authentication (formerly JASPIC). The Innovo Applications and Services do not utilize Jakarta Authentication, and thus should not be affected by this vulnerability.
  • CVE-2024-54677
    • The official ticket for this vulnerability explicitly states that it is a vulnerability in the examples web application provided with Apache Tomcat. We have removed all example / management webapps that come by default with Tomcat, so our installation is not affected by this vulnerability.
  • CVE-2024-56337
    • These vulnerabilities are only applicable when the default servlet is enabled for write (non-default configuration). We do not configure the default server to enable write access, therefore our application is not affected by this vulnerability.
2025
  • CVE-2025-5350
    • This vulnerability only affects Tomcat instances running inside a WSO2 container. Our Tomcat instance is a standalone instance and we do not use any WSO2 products, therefore our installation is not affected by this vulnerability.
  • CVE-2025-24813
    • This vulnerability has very specific conditions. We do not enable file writes for the default servlet. We do not have service endpoints for file uploads that write directly to disk. We do not enable or use Tomcat file-based session persistence. We do not use persistent sessions at all. Based on this, our installation is not affected by this vulnerability.
  • CVE-2025-31650
    • This vulnerability is related to HTTP/2 priority header processing. HTTP/2 must be explicitly enabled based on the server settings, and our application does not enable HTTP/2 processing. Therefore, our installation is not affected by this vulnerability.
  • CVE-2025-31651
    • This vulnerability is related to specific Tomcat rewrite rules. Our configuration does not use any Tomcat rewrite functionality so our installation is not affected by this vulnerability.
  • CVE-2025-46701
    • This vulnerability is related to the Tomcat CGI Servlet. We do not have any endpoints that are configured to use the CGI Servlet, so our installation is not affected by this vulnerability.
  • CVE-2025-48976
    • This vulnerability is related to multipart upload requests. Our application does not expose any public endpoints that accept multipart upload data, therefore our installation is not affected by this vulnerability.
  • CVE-2025-48988
    • This vulnerability is related to multipart upload requests. Our application does not expose any public endpoints that accept multipart upload data, therefore our installation is not affected by this vulnerability.
  • CVE-2025-48989
    • This vulnerability is related to multipart upload requests. Our application does not expose any public endpoints that accept multipart upload data, therefore our installation is not affected by this vulnerability.
  • CVE-2025-49124
    • This vulnerability is within the Tomcat Installer for Windows. We do not utilize the Tomcat Installer. Instead, we install the files manually with our own installer. For this reason, this CVE should not affect the Innovo Services.
  • CVE-2025-49125
    • This vulnerability is related to PreResource and PostResource configurations that are mounted outside the webapps root folder. Our application does not configure any PreResource or PostResource resources, and does not have any type of resource mounted outside the webapps root folder. Therefore, our installation is not affected by this vulnerability.
  • CVE-2025-52434
    • This vulnerability is related to the APR native connector. Our application does not use the APR protocols, so we have explicitly disabled the APR connector in our configuration. Therefore our installation is not affected by this vulnerability.
  • CVE-2025-52520
    • These vulnerabilities are related to multipart upload requests. Our application does not expose any public endpoints that accept multipart upload data, therefore our installation is not affected by this vulnerability.
  • CVE-2025-53506
    • These vulnerabilities affect the Tomcat HTTP/2 protocol implementation. In the version of Tomcat that our installation is running, you must explicitly enable the HTTP/2 protocol in the server configuration files. Since our application does not use the HTTP/2 protocol, we do not have this protocol enabled in our installation. Therefore, our installation is not affected by this vulnerability.
  • CVE-2025-55668
    • This is a session fixation vulnerability involving the Tomcat URL rewrite valve. We do not enable the rewrite in our configuration, nor do we use or maintain any stateful session information. Therefore, our installation is not affected by this vulnerability.
  • CVE-2025-55752
    • This vulnerability is related to specific Tomcat rewrite rules. Our configuration does not use any Tomcat rewrite functionality so our installation is not affected by this vulnerability.
  • CVE-2025-55754
    • This vulnerability is specific to Tomcat being started from the Windows console. We do not start Tomcat from the console, therefore our installation is not affected by this vulnerability.
  • CVE-2025-61795
    • This vulnerability is related to multipart-form submits. Our application does not expose any public endpoints that will accept the multipart/form-data mime type. Therefore our installation is not affected by this vulnerability.
  • CVE-2025-66614
    • This vulnerability requires the use of virtual hosts. We do not use any virtual hosts in our application, and all of our authentication is global to our application rather than specific to any single Connector. Therefore, our installation is not affected by this vulnerability.
  • CVE-2025-68161
    • This vulnerability is specific to Log4j socket appenders using TLS connections. We do not use any socket appenders all of our logs are written directly to local files therefore our installation is not affected by this vulnerability.
2026
  • CVE-2026-24733
    • This vulnerability requires endpoints configured to accept HEAD requests and deny GET requests. We do not have any endpoints configured this way, therefore our installation is not affected by this vulnerability.
  • CVE-2026-24734
    • This vulnerability only affects Tomcat instances that are configured as an OCSP responder. Our instance is not configured as an OCSP responder, nor do we use OCSP certificates, therefore our installation is not affected by this vulnerability.
  • CVE-2026-24880
    • This vulnerability is specific to the handling of chunked transfer-encoding requests. We do not expose any endpoints that support chunked encoding therefore our installation is not affected by this vulnerability.
  • CVE-2026-25854
    • This vulnerability is specific to Tomcat's LoadBalancerDrainingValve. We do not use the LoadBalancerDrainingValve, or any form of load balancing, therefore our installation is not affected by this vulnerability.
  • CVE-2026-29146
    • This vulnerability is specific to Tomcat's EncryptInterceptor. We do not use the EncryptInterceptor therefore our installation is not affected by this vulnerability.
  • CVE-2026-34477
    • This vulnerability is specific to Log4j network appenders (SMTP, Socket, or Syslog) using TLS connections. We do not use any network appenders; our configuration only appends to local log files, therefore our installation is not affected by this vulnerability.
  • CVE-2026-34480
    • This vulnerability is specific to Log4j's XmlLayout. We do not use XmlLayout all of our logs are written to local files in plain text therefore our installation is not affected by this vulnerability.
  • CVE-2026-34483
    • This vulnerability is specific to Tomcat's JsonAccessLogValve. We do not use the JsonAccessLogValve we use the standard plain-text access log valve therefore our installation is not affected by this vulnerability.
  • CVE-2026-34487
    • This vulnerability is specific to Tomcat's cloud (Kubernetes) membership provider for clustering. We do not use Kubernetes or any other clustering framework therefore our installation is not affected by this vulnerability.
  • CVE-2026-41284
    • This vulnerability is specific to WebDAV endpoints. We do not expose any WebDAV endpoints and do not support WebDAV therefore our installation is not affected by this vulnerability.
  • CVE-2026-41293
    • This vulnerability is specific to Tomcat's HTTP/2 request header processing. We do not use HTTP/2; all connections use HTTP/1.1, so no HTTP/2 HPACK header processing occurs therefore our installation is not affected by this vulnerability.
  • CVE-2026-42498
    • This vulnerability is specific to public WebSocket endpoints. We do not expose any public WebSocket endpoints therefore our installation is not affected by this vulnerability.
  • CVE-2026-43512
    • This vulnerability is specific to Tomcat's DIGEST authenticator. We do not use digest authentication all of our authentication is token-based therefore our installation is not affected by this vulnerability.
  • CVE-2026-43513
    • This vulnerability is specific to Tomcat's LockOutRealm. We do not use the LockOutRealm therefore our installation is not affected by this vulnerability.
  • CVE-2026-43514
    • This vulnerability is specific to AJP connectors. We specifically disable AJP connectors in our configuration, so no AJP connection is possible. Therefore, our installation is not affected by this vulnerability.
  • CVE-2026-43515
    • This vulnerability is specific to extension-based authentication filters. We do not use extension-based authentication filters all of our authentication is global, token-based therefore our installation is not affected by this vulnerability.
  • CVE-2026-50229
    • This vulnerability is specific to the number guess example web application provided with Apache Tomcat. We do not deploy the number guess example web application; we specifically remove all sample / default web applications that come with a basic Tomcat installation. Therefore, our installation is not affected by this vulnerability.
  • CVE-2026-53404
    • This vulnerability is specific to Tomcat rewrite valves. We do not enable any rewrite valves in our configuration, and our application does not enable or support any URL rewriting. Therefore, our installation is not affected by this vulnerability.
  • CVE-2026-53434
    • This vulnerability is specific to Connectors configured to use OpenSSL FFM. We do not configure our Connector to use OpenSSL FFM, and no FFM connectors exist in our application. Therefore, our installation is not affected by this vulnerability.
  • CVE-2026-55276
    • This vulnerability is specific to authorization constraints configured in web.xml. We do not configure authorization constraints in our web.xml, therefore our installation is not affected by this vulnerability.
  • CVE-2026-55955
    • This vulnerability is specific to the Tomcat cluster component. We do not configure the cluster component in our Tomcat installation, as we do not support any clustering. Therefore, our installation is not affected by this vulnerability.
  • CVE-2026-55956
    • This vulnerability is specific to security constraints on the Tomcat default servlet. We do not configure any security constraints on the default servlet; all security / authorization is handled by our application directly, and does not rely on any default servlet features. Therefore, our installation is not affected by this vulnerability.
  • CVE-2026-55957
    • This vulnerability is specific to JNDI and other Naming Directory authentication. We do not configure nor support any JNDI or any other Naming Directory authentication in our application. Therefore, our installation is not affected by this vulnerability.
Download PDF

Comments

0 comments

Please sign in to leave a comment.