Search for packages
| purl | pkg:apache/tomcat@10.0.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-kwab-3s4q-eka4
Aliases: CVE-2021-30640 GHSA-36qh-35cm-5w2w |
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-dtvw-92bk-wbcf | A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. |
CVE-2021-30639
GHSA-44qp-qhfv-c7f6 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:06.297511+00:00 | Apache Tomcat Importer | Fixing | VCID-dtvw-92bk-wbcf | https://tomcat.apache.org/security-10.html | 38.0.0 |
| 2026-04-01T12:38:06.256213+00:00 | Apache Tomcat Importer | Affected by | VCID-kwab-3s4q-eka4 | https://tomcat.apache.org/security-10.html | 38.0.0 |