BIT-tomcat-2026-29145

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-29145.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-tomcat-2026-29145

Aliases

CVE-2026-29145
GHSA-95jq-rwvf-vjx4

Published

2026-04-13T10:19:53.698Z

Modified

2026-04-13T12:26:01.019045681Z

Summary

Apache Tomcat, Apache Tomcat Native: OCSP checks sometimes soft-fail even when soft-fail is disabled

Details

CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.

This issue affects Apache Tomcat: from 11.0.0 through 11.0.18, from 10.1.0 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.

Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue.

Database specific

{
    "severity": "Critical",
    "cpes": [
        "cpe:2.3:a:apache:tomcat:*:*:*:*:*:maven:*:*"
    ]
}

References

Affected packages

Bitnami / tomcat

Package

Name: tomcat
Purl: pkg:bitnami/tomcat

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.5.98

Introduced

9.0.83

Fixed

9.0.116

Introduced

10.1.0

Fixed

10.1.53

Introduced

11.0.0

Fixed

11.0.20

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/tomcat/BIT-tomcat-2026-29145.json"