Publish GHSA-h468-7pvh-8vr8

advisory-database[bot] · advisory-database[bot] · commit b2d91bb7c6e5 · 2026-04-15T21:35:32.000Z
diff --git a/advisories/github-reviewed/2026/04/GHSA-h468-7pvh-8vr8/GHSA-h468-7pvh-8vr8.json b/advisories/github-reviewed/2026/04/GHSA-h468-7pvh-8vr8/GHSA-h468-7pvh-8vr8.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h468-7pvh-8vr8",
-  "modified": "2026-04-10T21:32:09Z",
+  "modified": "2026-04-15T21:33:40Z",
   "published": "2026-04-09T21:31:29Z",
   "aliases": [
     "CVE-2026-29146"
@@ -22,7 +22,7 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.apache.tomcat:tomcat-catalina"
+        "name": "org.apache.tomcat:tomcat-tribes"
       },
       "ranges": [
         {
@@ -41,7 +41,7 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.apache.tomcat:tomcat-catalina"
+        "name": "org.apache.tomcat:tomcat-tribes"
       },
       "ranges": [
         {
@@ -60,7 +60,7 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.apache.tomcat:tomcat-catalina"
+        "name": "org.apache.tomcat:tomcat-tribes"
       },
       "ranges": [
         {
@@ -70,11 +70,14 @@
               "introduced": "11.0.0-M1"
             },
             {
-              "fixed": "11.0.19"
+              "fixed": "11.0.20"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 11.0.18"
+      }
     },
     {
       "package": {
@@ -127,7 +130,29 @@
               "introduced": "11.0.0-M1"
             },
             {
-              "fixed": "11.0.19"
+              "fixed": "11.0.20"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 11.0.18"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.tomcat:tomcat-tribes"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "8.5.38"
+            },
+            {
+              "last_affected": "8.5.100"
             }
           ]
         }
@@ -136,17 +161,17 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.apache.tomcat.embed:tomcat-embed-core"
+        "name": "org.apache.tomcat:tomcat"
       },
       "ranges": [
         {
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "9.0.13"
+              "introduced": "8.5.38"
             },
             {
-              "fixed": "9.0.116"
+              "last_affected": "8.5.100"
             }
           ]
         }
@@ -155,17 +180,17 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.apache.tomcat.embed:tomcat-embed-core"
+        "name": "org.apache.tomcat:tomcat-tribes"
       },
       "ranges": [
         {
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "10.1.50"
+              "introduced": "7.0.100"
             },
             {
-              "fixed": "10.1.53"
+              "last_affected": "7.0.109"
             }
           ]
         }
@@ -174,17 +199,17 @@
     {
       "package": {
         "ecosystem": "Maven",
-        "name": "org.apache.tomcat.embed:tomcat-embed-core"
+        "name": "org.apache.tomcat:tomcat"
       },
       "ranges": [
         {
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "11.0.0-M1"
+              "introduced": "7.0.100"
             },
             {
-              "fixed": "11.0.19"
+              "last_affected": "7.0.109"
             }
           ]
         }
@@ -196,6 +221,18 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29146"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/tomcat/commit/0112ed22abfccc3d54e44d91eb08804d0886acd1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/tomcat/commit/607ebc0fa522bd9e8c05517baa2d179bbd1e659c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/tomcat/commit/6d955cceca841f2eabf2d6c46b59a8c7e1cd6eaa"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/apache/tomcat"
@@ -204,6 +241,22 @@
       "type": "WEB",
       "url": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w"
     },
+    {
+      "type": "WEB",
+      "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53"
+    },
+    {
+      "type": "WEB",
+      "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-29146"
+    },
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2026/04/09/24"

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-h468-7pvh-8vr8",`
`4`		`- "modified": "2026-04-10T21:32:09Z",`
	`4`	`+ "modified": "2026-04-15T21:33:40Z",`
`5`	`5`	`"published": "2026-04-09T21:31:29Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2026-29146"`
`@@ -22,7 +22,7 @@`
`22`	`22`	`{`
`23`	`23`	`"package": {`
`24`	`24`	`"ecosystem": "Maven",`
`25`		`- "name": "org.apache.tomcat:tomcat-catalina"`
	`25`	`+ "name": "org.apache.tomcat:tomcat-tribes"`
`26`	`26`	`},`
`27`	`27`	`"ranges": [`
`28`	`28`	`{`
`@@ -41,7 +41,7 @@`
`41`	`41`	`{`
`42`	`42`	`"package": {`
`43`	`43`	`"ecosystem": "Maven",`
`44`		`- "name": "org.apache.tomcat:tomcat-catalina"`
	`44`	`+ "name": "org.apache.tomcat:tomcat-tribes"`
`45`	`45`	`},`
`46`	`46`	`"ranges": [`
`47`	`47`	`{`
`@@ -60,7 +60,7 @@`
`60`	`60`	`{`
`61`	`61`	`"package": {`
`62`	`62`	`"ecosystem": "Maven",`
`63`		`- "name": "org.apache.tomcat:tomcat-catalina"`
	`63`	`+ "name": "org.apache.tomcat:tomcat-tribes"`
`64`	`64`	`},`
`65`	`65`	`"ranges": [`
`66`	`66`	`{`
`@@ -70,11 +70,14 @@`
`70`	`70`	`"introduced": "11.0.0-M1"`
`71`	`71`	`},`
`72`	`72`	`{`
`73`		`- "fixed": "11.0.19"`
	`73`	`+ "fixed": "11.0.20"`
`74`	`74`	`}`
`75`	`75`	`]`
`76`	`76`	`}`
`77`		`- ]`
	`77`	`+ ],`
	`78`	`+ "database_specific": {`
	`79`	`+ "last_known_affected_version_range": "<= 11.0.18"`
	`80`	`+ }`
`78`	`81`	`},`
`79`	`82`	`{`
`80`	`83`	`"package": {`
`@@ -127,7 +130,29 @@`
`127`	`130`	`"introduced": "11.0.0-M1"`
`128`	`131`	`},`
`129`	`132`	`{`
`130`		`- "fixed": "11.0.19"`
	`133`	`+ "fixed": "11.0.20"`
	`134`	`+ }`
	`135`	`+ ]`
	`136`	`+ }`
	`137`	`+ ],`
	`138`	`+ "database_specific": {`
	`139`	`+ "last_known_affected_version_range": "<= 11.0.18"`
	`140`	`+ }`
	`141`	`+ },`
	`142`	`+ {`
	`143`	`+ "package": {`
	`144`	`+ "ecosystem": "Maven",`
	`145`	`+ "name": "org.apache.tomcat:tomcat-tribes"`
	`146`	`+ },`
	`147`	`+ "ranges": [`
	`148`	`+ {`
	`149`	`+ "type": "ECOSYSTEM",`
	`150`	`+ "events": [`
	`151`	`+ {`
	`152`	`+ "introduced": "8.5.38"`
	`153`	`+ },`
	`154`	`+ {`
	`155`	`+ "last_affected": "8.5.100"`
`131`	`156`	`}`
`132`	`157`	`]`
`133`	`158`	`}`
`@@ -136,17 +161,17 @@`
`136`	`161`	`{`
`137`	`162`	`"package": {`
`138`	`163`	`"ecosystem": "Maven",`
`139`		`- "name": "org.apache.tomcat.embed:tomcat-embed-core"`
	`164`	`+ "name": "org.apache.tomcat:tomcat"`
`140`	`165`	`},`
`141`	`166`	`"ranges": [`
`142`	`167`	`{`
`143`	`168`	`"type": "ECOSYSTEM",`
`144`	`169`	`"events": [`
`145`	`170`	`{`
`146`		`- "introduced": "9.0.13"`
	`171`	`+ "introduced": "8.5.38"`
`147`	`172`	`},`
`148`	`173`	`{`
`149`		`- "fixed": "9.0.116"`
	`174`	`+ "last_affected": "8.5.100"`
`150`	`175`	`}`
`151`	`176`	`]`
`152`	`177`	`}`
`@@ -155,17 +180,17 @@`
`155`	`180`	`{`
`156`	`181`	`"package": {`
`157`	`182`	`"ecosystem": "Maven",`
`158`		`- "name": "org.apache.tomcat.embed:tomcat-embed-core"`
	`183`	`+ "name": "org.apache.tomcat:tomcat-tribes"`
`159`	`184`	`},`
`160`	`185`	`"ranges": [`
`161`	`186`	`{`
`162`	`187`	`"type": "ECOSYSTEM",`
`163`	`188`	`"events": [`
`164`	`189`	`{`
`165`		`- "introduced": "10.1.50"`
	`190`	`+ "introduced": "7.0.100"`
`166`	`191`	`},`
`167`	`192`	`{`
`168`		`- "fixed": "10.1.53"`
	`193`	`+ "last_affected": "7.0.109"`
`169`	`194`	`}`
`170`	`195`	`]`
`171`	`196`	`}`
`@@ -174,17 +199,17 @@`
`174`	`199`	`{`
`175`	`200`	`"package": {`
`176`	`201`	`"ecosystem": "Maven",`
`177`		`- "name": "org.apache.tomcat.embed:tomcat-embed-core"`
	`202`	`+ "name": "org.apache.tomcat:tomcat"`
`178`	`203`	`},`
`179`	`204`	`"ranges": [`
`180`	`205`	`{`
`181`	`206`	`"type": "ECOSYSTEM",`
`182`	`207`	`"events": [`
`183`	`208`	`{`
`184`		`- "introduced": "11.0.0-M1"`
	`209`	`+ "introduced": "7.0.100"`
`185`	`210`	`},`
`186`	`211`	`{`
`187`		`- "fixed": "11.0.19"`
	`212`	`+ "last_affected": "7.0.109"`
`188`	`213`	`}`
`189`	`214`	`]`
`190`	`215`	`}`
`@@ -196,6 +221,18 @@`
`196`	`221`	`"type": "ADVISORY",`
`197`	`222`	`"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29146"`
`198`	`223`	`},`
	`224`	`+ {`
	`225`	`+ "type": "WEB",`
	`226`	`+ "url": "https://github.com/apache/tomcat/commit/0112ed22abfccc3d54e44d91eb08804d0886acd1"`
	`227`	`+ },`
	`228`	`+ {`
	`229`	`+ "type": "WEB",`
	`230`	`+ "url": "https://github.com/apache/tomcat/commit/607ebc0fa522bd9e8c05517baa2d179bbd1e659c"`
	`231`	`+ },`
	`232`	`+ {`
	`233`	`+ "type": "WEB",`
	`234`	`+ "url": "https://github.com/apache/tomcat/commit/6d955cceca841f2eabf2d6c46b59a8c7e1cd6eaa"`
	`235`	`+ },`
`199`	`236`	`{`
`200`	`237`	`"type": "PACKAGE",`
`201`	`238`	`"url": "https://github.com/apache/tomcat"`
`@@ -204,6 +241,22 @@`
`204`	`241`	`"type": "WEB",`
`205`	`242`	`"url": "https://lists.apache.org/thread/lzt04z2pb3dc5tk85obn80xygw3z1p0w"`
`206`	`243`	`},`
	`244`	`+ {`
	`245`	`+ "type": "WEB",`
	`246`	`+ "url": "https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.53"`
	`247`	`+ },`
	`248`	`+ {`
	`249`	`+ "type": "WEB",`
	`250`	`+ "url": "https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.20"`
	`251`	`+ },`
	`252`	`+ {`
	`253`	`+ "type": "WEB",`
	`254`	`+ "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.116"`
	`255`	`+ },`
	`256`	`+ {`
	`257`	`+ "type": "WEB",`
	`258`	`+ "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-29146"`
	`259`	`+ },`
`207`	`260`	`{`
`208`	`261`	`"type": "WEB",`
`209`	`262`	`"url": "http://www.openwall.com/lists/oss-security/2026/04/09/24"`