Search for packages
| purl | pkg:apache/tomcat@6.0.16 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-a9cu-fxqw-xkdg
Aliases: CVE-2008-1232 GHSA-q74x-qqhr-f8rx |
Cross-site scripting (XSS) vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via a crafted string that is used in the message argument to the HttpServletResponse.sendError method. |
Affected by 5 other vulnerabilities. |
|
VCID-acmu-9eqb-fya5
Aliases: CVE-2008-2370 GHSA-m8h8-6rvg-f4mg |
Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. |
Affected by 5 other vulnerabilities. |
|
VCID-egup-27ub-6uaf
Aliases: CVE-2008-1947 GHSA-f98p-9pp6-7q6c |
Cross-site scripting (XSS) vulnerability in Apache Tomcat 5.5.9 through 5.5.26 and 6.0.0 through 6.0.16 allows remote attackers to inject arbitrary web script or HTML via the name parameter (aka the hostname attribute) to host-manager/html/add. |
Affected by 5 other vulnerabilities. |
|
VCID-hves-r5bg-yfes
Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq |
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7pd9-1r19-73fe | Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request. |
CVE-2007-6286
GHSA-qrj4-rmqg-4hcp |
| VCID-88v7-kc2y-bfd7 | Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. |
CVE-2007-5461
GHSA-v5p2-vg3c-pmrr |
| VCID-hhkg-mfp5-2kax | The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler. |
CVE-2007-5342
GHSA-w65j-cmqc-37p2 |
| VCID-t9y6-suc2-2kcg | Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception. |
CVE-2008-0002
GHSA-5x5f-9r6q-q7mh |
| VCID-v94p-bxm3-akfd | Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385. |
CVE-2007-5333
GHSA-cww4-vj5r-rx57 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:17.799680+00:00 | Apache Tomcat Importer | Fixing | VCID-t9y6-suc2-2kcg | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:17.769900+00:00 | Apache Tomcat Importer | Fixing | VCID-7pd9-1r19-73fe | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:17.739964+00:00 | Apache Tomcat Importer | Fixing | VCID-88v7-kc2y-bfd7 | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:17.710634+00:00 | Apache Tomcat Importer | Fixing | VCID-hhkg-mfp5-2kax | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:17.681391+00:00 | Apache Tomcat Importer | Fixing | VCID-v94p-bxm3-akfd | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:17.647943+00:00 | Apache Tomcat Importer | Affected by | VCID-acmu-9eqb-fya5 | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:17.617355+00:00 | Apache Tomcat Importer | Affected by | VCID-egup-27ub-6uaf | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:17.587559+00:00 | Apache Tomcat Importer | Affected by | VCID-a9cu-fxqw-xkdg | https://tomcat.apache.org/security-6.html | 38.0.0 |
| 2026-04-01T12:38:15.995309+00:00 | Apache Tomcat Importer | Affected by | VCID-hves-r5bg-yfes | https://tomcat.apache.org/security-6.html | 38.0.0 |