Summary
The bundled Apache Tomcat version pinned at parent/pom.xml:70 (<tomcat.version>9.0.113</tomcat.version>) is affected by 6 published Apache Tomcat CVEs. Apache has shipped fixes in versions through 9.0.117; 9.0.118 is the latest 9.0.x patch (released 2026-05-10). A single-line property bump resolves all 6.
Reported through Freshdesk ticket #37395 (security audit by an enterprise customer).
Affected CVEs (apply to 9.0.113)
Source: https://tomcat.apache.org/security-9.html
Not affected (false positive in original report)
CVE-2025-66614 (Moderate, virtual-host client-certificate verification bypass) — Apache lists this as fixed in 9.0.113, so our bundled version already contains the fix. The original audit report flagged it but it does not apply here.
Required change
- <tomcat.version>9.0.113</tomcat.version>
+ <tomcat.version>9.0.118</tomcat.version>
Single-property bump in parent/pom.xml:70. The property propagates to:
bom/application/pom.xml — BOM declarationsdotCMS/pom.xml — direct dependency, docker base image (tomcat:${tomcat.version}-jdk11), distribution folder (dotserver/tomcat-${tomcat.version}), and remote tomcat zip URLdotcms-integration/pom.xmldotCMS/src/main/docker/original/docker-descriptor.xml
Bumping to 9.0.117 is sufficient to clear all 6 listed CVEs; 9.0.118 is recommended for currency. Tomcat 9.0.x is API-stable across patch versions, so no source-code changes are required.
Verification already done
- Each reported CVE was cross-referenced against the Apache Tomcat 9 security advisory page — 6 valid, 1 already fixed in our current pin (CVE-2025-66614).
mvn dependency:tree confirms tomcat-catalina:9.0.113 is the resolved artifact in dotCMS/maven_dep_tree.txt (15 tomcat refs total in that module, 9 in dotcms-integration).
Action items
Severity / SLA
- CVE-2026-29146 is the only "Important"-rated item. Real-world exploitability is conditional: it affects clusters using Tomcat's
EncryptInterceptor, which is not enabled by default in dotCMS. Still worth fixing promptly.
- The remaining 5 are Low/Moderate per Apache's rating.
- By our internal vulnerability-management SLA, this is High priority (one Important CVE + active enterprise customer pressure). Patch landed in
main within 7 days, release cut within 14 days, LTS backports same window.
Notes
This is a routine SCA-driven dependency bump. The change is mechanical; the verification work is what takes time. Once the bump is in, the BOM and docker manifests rebuild automatically via the existing build pipeline.
Summary
The bundled Apache Tomcat version pinned at
parent/pom.xml:70(<tomcat.version>9.0.113</tomcat.version>) is affected by 6 published Apache Tomcat CVEs. Apache has shipped fixes in versions through 9.0.117; 9.0.118 is the latest 9.0.x patch (released 2026-05-10). A single-line property bump resolves all 6.Reported through Freshdesk ticket #37395 (security audit by an enterprise customer).
Affected CVEs (apply to 9.0.113)
Source: https://tomcat.apache.org/security-9.html
Not affected (false positive in original report)
CVE-2025-66614 (Moderate, virtual-host client-certificate verification bypass) — Apache lists this as fixed in 9.0.113, so our bundled version already contains the fix. The original audit report flagged it but it does not apply here.
Required change
Single-property bump in
parent/pom.xml:70. The property propagates to:bom/application/pom.xml— BOM declarationsdotCMS/pom.xml— direct dependency, docker base image (tomcat:${tomcat.version}-jdk11), distribution folder (dotserver/tomcat-${tomcat.version}), and remote tomcat zip URLdotcms-integration/pom.xmldotCMS/src/main/docker/original/docker-descriptor.xmlBumping to
9.0.117is sufficient to clear all 6 listed CVEs;9.0.118is recommended for currency. Tomcat 9.0.x is API-stable across patch versions, so no source-code changes are required.Verification already done
mvn dependency:treeconfirmstomcat-catalina:9.0.113is the resolved artifact indotCMS/maven_dep_tree.txt(15 tomcat refs total in that module, 9 indotcms-integration).Action items
tomcat.versionto9.0.118inparent/pom.xmldotcms/dotcmsdocker base pullstomcat:9.0.118-jdk11cleanlyorg.apache.tomcat:*drops to zero24.12.27_lts(target: next LTS revision, currently at_v20)25.07.10_lts(target: next LTS revision, currently at_v9)Severity / SLA
EncryptInterceptor, which is not enabled by default in dotCMS. Still worth fixing promptly.mainwithin 7 days, release cut within 14 days, LTS backports same window.Notes
This is a routine SCA-driven dependency bump. The change is mechanical; the verification work is what takes time. Once the bump is in, the BOM and docker manifests rebuild automatically via the existing build pipeline.