Search for packages
| purl | pkg:apache/tomcat@4.1.39 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4rcx-xfn5-7kdb
Aliases: CVE-2009-0580 GHSA-w227-xcfx-3pj8 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-bung-pa58-ayfv
Aliases: CVE-2009-0781 GHSA-j788-fx57-99wp |
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML." |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-dcrp-rae1-zfcm
Aliases: CVE-2009-0033 GHSA-5cw4-ggx9-36vg |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-mnf8-t3ew-4fgb
Aliases: CVE-2008-5515 GHSA-9737-qmgc-hfr9 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-r84b-7ay9-ekcm
Aliases: CVE-2009-0783 GHSA-hhjg-g8xq-hhr3 |
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-a9cu-fxqw-xkdg | Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. |
CVE-2008-1232
GHSA-q74x-qqhr-f8rx |
| VCID-acmu-9eqb-fya5 | Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. |
CVE-2008-2370
GHSA-m8h8-6rvg-f4mg |
| VCID-qdck-q54n-rkcv | The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. |
CVE-2008-0128
|
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:19.764588+00:00 | Apache Tomcat Importer | Fixing | VCID-acmu-9eqb-fya5 | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.736281+00:00 | Apache Tomcat Importer | Fixing | VCID-a9cu-fxqw-xkdg | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.707867+00:00 | Apache Tomcat Importer | Fixing | VCID-qdck-q54n-rkcv | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.675279+00:00 | Apache Tomcat Importer | Affected by | VCID-r84b-7ay9-ekcm | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.645507+00:00 | Apache Tomcat Importer | Affected by | VCID-bung-pa58-ayfv | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.616560+00:00 | Apache Tomcat Importer | Affected by | VCID-4rcx-xfn5-7kdb | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.588315+00:00 | Apache Tomcat Importer | Affected by | VCID-dcrp-rae1-zfcm | https://tomcat.apache.org/security-4.html | 38.0.0 |
| 2026-04-01T12:38:19.558053+00:00 | Apache Tomcat Importer | Affected by | VCID-mnf8-t3ew-4fgb | https://tomcat.apache.org/security-4.html | 38.0.0 |