Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.apache.tomcat/tomcat@9.0.0-M11
Typemaven
Namespaceorg.apache.tomcat
Nametomcat
Version9.0.0-M11
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version9.0.0.M3
Latest_non_vulnerable_version11.0.18
Affected_by_vulnerabilities
0
url VCID-d8re-94xd-nycp
vulnerability_id VCID-d8re-94xd-nycp
summary 
Apache Tomcat Vulnerable to Relative Path Traversal
The fix for bug 60013 introduced a regression where the rewritten URL was normalized before it was decoded. This introduced the possibility that, for rewrite rules that rewrite query parameters to the URL, an attacker could manipulate the request URI to bypass security constraints including the protection for /WEB-INF/ and /META-INF/. If PUT requests were also enabled then malicious files could be uploaded leading to remote code execution. PUT requests are normally limited to trusted users and it is considered unlikely that PUT requests would be enabled in conjunction with a rewrite that manipulated the URI.



This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.0.M11 through 9.0.108.

The following versions were EOL at the time the CVE was created but are  known to be affected: 8.5.6 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.
references
0
reference_url https://cert-portal.siemens.com/productcert/html/ssa-032379.html
reference_id
reference_type
scores
url https://cert-portal.siemens.com/productcert/html/ssa-032379.html
1
reference_url https://github.com/apache/tomcat/commit/130d36d8492ef9e4eb22952c17c92423cb35fd06
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/130d36d8492ef9e4eb22952c17c92423cb35fd06
2
reference_url https://github.com/apache/tomcat/commit/b5042622b8b78340ae65403c55dcb9c7416924df
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/b5042622b8b78340ae65403c55dcb9c7416924df
3
reference_url https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/fec06c610ed7466b401e29cc567a58aee5ed826a
4
reference_url https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
reference_id
reference_type
scores
url https://lists.apache.org/thread/n05kjcwyj1s45ovs8ll1qrrojhfb1tog
5
reference_url https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45
reference_id
reference_type
scores
url https://tomcat.apache.org/security-10.html#Fixed_in_Apache_Tomcat_10.1.45
6
reference_url https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11
reference_id
reference_type
scores
url https://tomcat.apache.org/security-11.html#Fixed_in_Apache_Tomcat_11.0.11
7
reference_url https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109
reference_id
reference_type
scores
url https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.109
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-55752
reference_id CVE-2025-55752
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-55752
9
reference_url https://www.vicarius.io/vsociety/posts/cve-2025-55752-detect-apache-tomcat-vulnerability
reference_id CVE-2025-55752-DETECT-APACHE-TOMCAT-VULNERABILITY
reference_type
scores
url https://www.vicarius.io/vsociety/posts/cve-2025-55752-detect-apache-tomcat-vulnerability
10
reference_url https://www.vicarius.io/vsociety/posts/cve-2025-55752-mitigate-apache-tomcat-vulnerability
reference_id CVE-2025-55752-MITIGATE-APACHE-TOMCAT-VULNERABILITY
reference_type
scores
url https://www.vicarius.io/vsociety/posts/cve-2025-55752-mitigate-apache-tomcat-vulnerability
11
reference_url https://github.com/advisories/GHSA-wmwf-9ccg-fff5
reference_id GHSA-wmwf-9ccg-fff5
reference_type
scores
url https://github.com/advisories/GHSA-wmwf-9ccg-fff5
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.109
purl pkg:maven/org.apache.tomcat/tomcat@9.0.109
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.109
1
url pkg:maven/org.apache.tomcat/tomcat@10.1.45
purl pkg:maven/org.apache.tomcat/tomcat@10.1.45
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@10.1.45
2
url pkg:maven/org.apache.tomcat/tomcat@11.0.11
purl pkg:maven/org.apache.tomcat/tomcat@11.0.11
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@11.0.11
aliases CVE-2025-55752, GHSA-wmwf-9ccg-fff5
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d8re-94xd-nycp
1
url VCID-wyf8-8szf-qbfn
vulnerability_id VCID-wyf8-8szf-qbfn
summary 
Apache Tomcat vulnerable to Generation of Error Message Containing Sensitive Information
Generation of Error Message Containing Sensitive Information vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 8.5.7 through 8.5.63, from 9.0.0-M11 through 9.0.43.

Users are recommended to upgrade to version 8.5.64 onwards or 9.0.44 onwards, which contain a fix for the issue.
references
0
reference_url https://github.com/apache/tomcat
reference_id
reference_type
scores
url https://github.com/apache/tomcat
1
reference_url https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/86ccc43940861703c2be96a5f35384407522125a
2
reference_url https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311
reference_id
reference_type
scores
url https://github.com/apache/tomcat/commit/ce4b154e7b48f66bd98858626347747cd2514311
3
reference_url https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
reference_id
reference_type
scores
url https://lists.apache.org/thread/h9bjqdd0odj6lhs2o96qgowcc6hb0cfz
4
reference_url https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2025/01/msg00009.html
5
reference_url https://security.netapp.com/advisory/ntap-20240216-0005
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20240216-0005
6
reference_url https://tomcat.apache.org/security-8.html
reference_id
reference_type
scores
url https://tomcat.apache.org/security-8.html
7
reference_url https://tomcat.apache.org/security-9.html
reference_id
reference_type
scores
url https://tomcat.apache.org/security-9.html
8
reference_url http://www.openwall.com/lists/oss-security/2024/01/19/2
reference_id
reference_type
scores
url http://www.openwall.com/lists/oss-security/2024/01/19/2
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-21733
reference_id CVE-2024-21733
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-21733
10
reference_url https://github.com/advisories/GHSA-f4qf-m5gf-8jm8
reference_id GHSA-f4qf-m5gf-8jm8
reference_type
scores
url https://github.com/advisories/GHSA-f4qf-m5gf-8jm8
fixed_packages
0
url pkg:maven/org.apache.tomcat/tomcat@9.0.44
purl pkg:maven/org.apache.tomcat/tomcat@9.0.44
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.44
aliases CVE-2024-21733, GHSA-f4qf-m5gf-8jm8
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wyf8-8szf-qbfn
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat/tomcat@9.0.0-M11