Hello, most likely yes (haven't checked in detail).
Personally, I'm not going to port anything back to TomEE 9.x as I'm currently focused on 10.x work. However, I am available to review any community driven patches/initiatives via PRs targeting tomee-9.x branch. Best regards Richard On 2024/07/09 08:10:59 COURTAULT Francois wrote: > THALES GROUP LIMITED DISTRIBUTION to email recipients > > Hello everyone, > > TomEE 9.1.3 is based on Tomcat 10.0.27. > So the question is: Is TomEE 9.1.3 vulnerable to this CVE ? > If the answer is yes, will you provide a fix for Tomcat 10.0.27 which is not > maintained anymore ? and so will you release a new TomEE 9.x version ? > > This CVE has been fixed by Tomcat 9.0.90+ and 10.1.25+. > > Best Regards. > > > >