Search for packages
| purl | pkg:apache/tomcat@4.1.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18j8-kwdv-dyak
Aliases: CVE-2005-3510 GHSA-8f4w-jwqv-5cxc |
Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous requests to list a web directory that has a large number of files. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-27q8-96un-9fbk
Aliases: CVE-2007-1355 GHSA-4c6x-gfc8-c26r |
Multiple cross-site scripting (XSS) vulnerabilities in the appdev/sample/web/hello.jsp example application in Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.23, and 6.0.0 through 6.0.10 allow remote attackers to inject arbitrary web script or HTML via the test parameter and unspecified vectors. |
Affected by 3 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2jnv-segx-zkfd
Aliases: CVE-2006-3835 GHSA-wfj7-mhr5-pcwq |
Apache Tomcat 5 before 5.5.17 allows remote attackers to list directories via a semicolon (;) preceding a filename with a mapped extension, as demonstrated by URLs ending with /;index.jsp and /;help.do. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-4rcx-xfn5-7kdb
Aliases: CVE-2009-0580 GHSA-w227-xcfx-3pj8 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-6epr-2hbd-skcz
Aliases: CVE-2005-2090 GHSA-f2gq-p6qv-ccw4 |
Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." |
Affected by 9 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-6p3e-4u8s-17ep
Aliases: CVE-2007-3385 GHSA-6j8f-66vh-39mj |
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-7969-7a8h-zyhh
Aliases: CVE-2007-3382 GHSA-qff8-g48j-pwpw |
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-87p8-zvvf-y7dm
Aliases: CVE-2007-0450 GHSA-4prh-gqw8-rgh5 |
Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache. |
Affected by 9 other vulnerabilities. Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. |
|
VCID-88v7-kc2y-bfd7
Aliases: CVE-2007-5461 GHSA-v5p2-vg3c-pmrr |
Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-99es-8ecb-uub8
Aliases: CVE-2002-0935 GHSA-xmf4-j3j7-xj7q |
Apache Tomcat 4.0.3, and possibly other versions before 4.1.3 beta, allows remote attackers to cause a denial of service (resource exhaustion) via a large number of requests to the server with null characters, which causes the working threads to hang. |
Affected by 0 other vulnerabilities. |
|
VCID-a9cu-fxqw-xkdg
Aliases: CVE-2008-1232 GHSA-q74x-qqhr-f8rx |
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-acmu-9eqb-fya5
Aliases: CVE-2008-2370 GHSA-m8h8-6rvg-f4mg |
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. |
Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. Affected by 5 other vulnerabilities. |
|
VCID-afg3-t31c-ffgp
Aliases: CVE-2002-1567 GHSA-86fp-jgwm-wgj5 |
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1 allows remote attackers to execute arbitrary web script and steal cookies via a URL with encoded newlines followed by a request to a .jsp file whose name contains the script. |
Affected by 0 other vulnerabilities. |
|
VCID-bhq7-d545-27bj
Aliases: CVE-2006-7196 GHSA-pm78-wxxf-fw98 |
Cross-site scripting (XSS) vulnerability in the calendar application example in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.15 allows remote attackers to inject arbitrary web script or HTML via the time parameter to cal2.jsp and possibly unspecified other vectors. NOTE: this may be related to CVE-2006-0254.1. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-bung-pa58-ayfv
Aliases: CVE-2009-0781 GHSA-j788-fx57-99wp |
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-dcrp-rae1-zfcm
Aliases: CVE-2009-0033 GHSA-5cw4-ggx9-36vg |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-fvvt-kufu-k3a6
Aliases: CVE-2008-3271 |
Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-j2sv-62js-xbav
Aliases: CVE-2002-1394 GHSA-8v5p-2cpv-c2x6 |
Apache Tomcat 4.0.5 and earlier, when using both the invoker servlet and the default servlet, allows remote attackers to read source code for server files or bypass certain protections, a variant of CAN-2002-1148. |
Affected by 0 other vulnerabilities. |
|
VCID-mnf8-t3ew-4fgb
Aliases: CVE-2008-5515 GHSA-9737-qmgc-hfr9 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-mp3r-5531-uqg5
Aliases: CVE-2005-3164 GHSA-qhqv-q4xg-f6g7 |
The AJP connector in Apache Tomcat 4.0.1 through 4.0.6 and 4.1.0 through 4.1.36, as used in Hitachi Cosminexus Application Server and standalone, does not properly handle when a connection is broken before request body data is sent in a POST request, which can lead to an information leak when "unsuitable request body data" is used for a different request, possibly related to Java Servlet pages. |
Affected by 3 other vulnerabilities. |
|
VCID-p45v-qpgg-qqfj
Aliases: CVE-2007-3383 GHSA-wjwr-3jch-479j |
Cross-site scripting (XSS) vulnerability in SendMailServlet in the examples web application (examples/jsp/mail/sendmail.jsp) in Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.36 allows remote attackers to inject arbitrary web script or HTML via the From field and possibly other fields, related to generation of error messages. |
Affected by 3 other vulnerabilities. |
|
VCID-peya-mr7j-vugf
Aliases: CVE-2007-2449 GHSA-hc39-rjwp-qffq |
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-q7jp-hn4a-4kec
Aliases: CVE-2005-4838 |
Multiple cross-site scripting (XSS) vulnerabilities in the example web applications for Jakarta Tomcat 5.5.6 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) el/functions.jsp, (2) el/implicit-objects.jsp, and (3) jspx/textRotate.jspx in examples/jsp2/, as demonstrated via script in a request to snp/snoop.jsp. NOTE: other XSS issues in the manager were simultaneously reported, but these require admin access and do not cross privilege boundaries. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-qdck-q54n-rkcv
Aliases: CVE-2008-0128 |
The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
Affected by 5 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-qxkf-4ddv-j3b7
Aliases: CVE-2007-1358 GHSA-xmc9-6p56-3c4v |
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616". |
Affected by 9 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-r1bk-cqhx-ebc5
Aliases: CVE-2002-1148 GHSA-jxcv-v856-j5vg |
The default servlet (org.apache.catalina.servlets.DefaultServlet) in Tomcat 4.0.4 and 4.1.10 and earlier allows remote attackers to read source code for server files via a direct request to the servlet. |
Affected by 2 other vulnerabilities. |
|
VCID-r84b-7ay9-ekcm
Aliases: CVE-2009-0783 GHSA-hhjg-g8xq-hhr3 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-ssnx-gz8e-87ab
Aliases: CVE-2002-0682 |
Cross-site scripting vulnerability in Apache Tomcat 4.0.3 allows remote attackers to execute script as other web users via script in a URL with the /servlet/ mapping, which does not filter the script when an exception is thrown by the servlet. |
Affected by 0 other vulnerabilities. |
|
VCID-tcju-3rvu-wkht
Aliases: CVE-2007-2450 GHSA-5c5p-jxvx-x7j2 |
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors. |
Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-v94p-bxm3-akfd
Aliases: CVE-2007-5333 GHSA-cww4-vj5r-rx57 |
Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. |
Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-2fb2-r763-ybg5 | The default installation of Apache Tomcat 4.0 through 4.1 and 3.0 through 3.3.1 allows remote attackers to obtain the installation path and other sensitive system information via the (1) SnoopServlet or (2) TroubleShooter example servlets. |
CVE-2002-2006
GHSA-8g4f-fh7f-4fwh |
| VCID-9y3t-7vfv-cbd2 | The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests. |
CVE-2003-0866
GHSA-7wj2-48c4-2684 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:20.648901+00:00 | Apache Tomcat Importer | Fixing | VCID-2fb2-r763-ybg5 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.618899+00:00 | Apache Tomcat Importer | Fixing | VCID-9y3t-7vfv-cbd2 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.570626+00:00 | Apache Tomcat Importer | Affected by | VCID-99es-8ecb-uub8 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.522015+00:00 | Apache Tomcat Importer | Affected by | VCID-r1bk-cqhx-ebc5 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.485362+00:00 | Apache Tomcat Importer | Affected by | VCID-ssnx-gz8e-87ab | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.445825+00:00 | Apache Tomcat Importer | Affected by | VCID-j2sv-62js-xbav | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.412138+00:00 | Apache Tomcat Importer | Affected by | VCID-afg3-t31c-ffgp | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.380117+00:00 | Apache Tomcat Importer | Affected by | VCID-18j8-kwdv-dyak | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.345198+00:00 | Apache Tomcat Importer | Affected by | VCID-q7jp-hn4a-4kec | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.310592+00:00 | Apache Tomcat Importer | Affected by | VCID-2jnv-segx-zkfd | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.276052+00:00 | Apache Tomcat Importer | Affected by | VCID-bhq7-d545-27bj | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.214636+00:00 | Apache Tomcat Importer | Affected by | VCID-fvvt-kufu-k3a6 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.157036+00:00 | Apache Tomcat Importer | Affected by | VCID-qxkf-4ddv-j3b7 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.123129+00:00 | Apache Tomcat Importer | Affected by | VCID-87p8-zvvf-y7dm | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.088343+00:00 | Apache Tomcat Importer | Affected by | VCID-6epr-2hbd-skcz | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.051686+00:00 | Apache Tomcat Importer | Affected by | VCID-88v7-kc2y-bfd7 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:20.022238+00:00 | Apache Tomcat Importer | Affected by | VCID-v94p-bxm3-akfd | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.994711+00:00 | Apache Tomcat Importer | Affected by | VCID-6p3e-4u8s-17ep | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.964458+00:00 | Apache Tomcat Importer | Affected by | VCID-p45v-qpgg-qqfj | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.930432+00:00 | Apache Tomcat Importer | Affected by | VCID-7969-7a8h-zyhh | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.898877+00:00 | Apache Tomcat Importer | Affected by | VCID-tcju-3rvu-wkht | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.864987+00:00 | Apache Tomcat Importer | Affected by | VCID-peya-mr7j-vugf | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.832808+00:00 | Apache Tomcat Importer | Affected by | VCID-27q8-96un-9fbk | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.796270+00:00 | Apache Tomcat Importer | Affected by | VCID-mp3r-5531-uqg5 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.760356+00:00 | Apache Tomcat Importer | Affected by | VCID-acmu-9eqb-fya5 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.731843+00:00 | Apache Tomcat Importer | Affected by | VCID-a9cu-fxqw-xkdg | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.703092+00:00 | Apache Tomcat Importer | Affected by | VCID-qdck-q54n-rkcv | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.673187+00:00 | Apache Tomcat Importer | Affected by | VCID-r84b-7ay9-ekcm | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.643397+00:00 | Apache Tomcat Importer | Affected by | VCID-bung-pa58-ayfv | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.614306+00:00 | Apache Tomcat Importer | Affected by | VCID-4rcx-xfn5-7kdb | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.586222+00:00 | Apache Tomcat Importer | Affected by | VCID-dcrp-rae1-zfcm | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.555494+00:00 | Apache Tomcat Importer | Affected by | VCID-mnf8-t3ew-4fgb | https://tomcat.apache.org/security-4.html | 38.0.0 |