Skip to content

[GHSA-fccv-jmmp-qg76] Apache Tomcat Improper Input Validation vulnerability#7662

Open
aruneko wants to merge 1 commit into
aruneko/advisory-improvement-7662from
aruneko-GHSA-fccv-jmmp-qg76
Open

[GHSA-fccv-jmmp-qg76] Apache Tomcat Improper Input Validation vulnerability#7662
aruneko wants to merge 1 commit into
aruneko/advisory-improvement-7662from
aruneko-GHSA-fccv-jmmp-qg76

Conversation

@aruneko

@aruneko aruneko commented May 12, 2026

Copy link
Copy Markdown
Contributor

Updates

  • Affected products

Comments
improve affected packages

Copilot AI review requested due to automatic review settings May 12, 2026 07:17
@github-actions github-actions Bot changed the base branch from main to aruneko/advisory-improvement-7662 May 12, 2026 07:18
Copilot AI reviewed May 12, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the OSV advisory for GHSA-fccv-jmmp-qg76 (Apache Tomcat improper input validation / request smuggling risk) by expanding the set of affected Maven artifacts and their vulnerable version ranges.

Changes:

  • Added org.apache.tomcat:tomcat-coyote as an affected Maven package across the relevant vulnerable/fixed version lines.
  • Added org.apache.tomcat:tomcat as an affected Maven package across the relevant vulnerable/fixed version lines.
  • Bumped the advisory modified timestamp (but it remains in 2025).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread advisories/github-reviewed/2023/11/GHSA-fccv-jmmp-qg76/GHSA-fccv-jmmp-qg76.json
"schema_version": "1.4.0",
"id": "GHSA-fccv-jmmp-qg76",
"modified": "2025-08-08T18:32:42Z",
"modified": "2025-08-08T18:32:43Z",
@github-actions

github-actions Bot commented Jun 12, 2026

Copy link
Copy Markdown

👋 This pull request has been marked as stale because it has been open with no activity. You can: comment on the issue or remove the stale label to hold stale off for a while, add the Keep label to hold stale off permanently, or do nothing. If you do nothing this pull request will be closed eventually by the stale bot. Please see CONTRIBUTING.md for more policy details.

@github-actions github-actions Bot added the Stale label Jun 12, 2026
@aruneko

aruneko commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

How is the status of a review for this pull request?

@JonathanLEvans

JonathanLEvans commented Jun 12, 2026

Copy link
Copy Markdown

Can you explain how you determined that org.apache.tomcat:tomcat-coyote is affected?

@github-actions github-actions Bot removed the Stale label Jun 13, 2026
@aruneko

aruneko commented Jun 15, 2026

Copy link
Copy Markdown
Contributor Author

In this commit, tomcat fixed the vulnerability.

apache/tomcat@6f181e10

The commit includes the files java/org/apache/tomcat/util/http/InvalidParameterException.java and java/org/apache/tomcat/util/http/Parameters.java. They are also included in tomcat-coyote.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@aruneko @JonathanLEvans