CVE-2026-43514
Essential information
- Published
- 12/05/2026 16:16
- Modified
- 13/05/2026 18:16
- Author
- —
- Creator
- —
- CVSS
- 3.7 LOW (v3.1)
- CISA KEV
- No
- CWE
- —
- CVSS vector
-
—
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N—
CVSS metrics
- Access vector
- —
- Access complexity
- —
- Authentication
- —
- Confidentiality impact
- —
- Integrity impact
- —
- Availability impact
- —
- Exploitability
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- NETWORK
- Attack complexity
- HIGH
- Privileges required
- NONE
- User interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality impact
- LOW
- Integrity impact
- NONE
- Availability impact
- NONE
- Exploit code maturity
- —
- Remediation level
- —
- Report confidence
- —
- Temporal score
- —
- Attack vector
- —
- Attack complexity
- —
- Attack requirements
- —
- Privileges required
- —
- User interaction
- —
- Confidentiality (V)
- —
- Confidentiality (S)
- —
- Integrity (V)
- —
- Integrity (S)
- —
- Availability (V)
- —
- Availability (S)
- —
- Exploit maturity
- —
Description
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
NVD status
- Status
- Undergoing Analysis — CVE is currently being analyzed by NVD staff, this process results in association of reference link tags, CVSS scores, CWE association, and CPE applicability statements.
- Source
- [email protected]
- NVD
- View on NVD
Affected products (CPE)
| Product | CPE |
|---|---|
| apache / tomcat | cpe:2.3:a:apache:tomcat:11.0.0-M1:11.0.21:*:*:*:*:*:* |
| apache / tomcat | cpe:2.3:a:apache:tomcat:10.1.0-M1:10.1.54:*:*:*:*:*:* |
| apache / tomcat | cpe:2.3:a:apache:tomcat:9.0.0.M1:9.0.117:*:*:*:*:*:* |
| apache / tomcat | cpe:2.3:a:apache:tomcat:8.5.0:8.5.100:*:*:*:*:*:* |
| apache / tomcat | cpe:2.3:a:apache:tomcat:7.0.0:7.0.109:*:*:*:*:*:* |
| apache / tomcat | cpe:2.3:a:apache:tomcat:11.0.22:*:*:*:*:*:* |
| apache / tomcat | cpe:2.3:a:apache:tomcat:10.1.55:*:*:*:*:*:* |
| apache / tomcat | cpe:2.3:a:apache:tomcat:9.0.118:*:*:*:*:*:* |