VulnerableCode Package Details - pkg:apache/tomcat@6.0.35

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@6.0.35

Essentials
History (8)

purl	pkg:apache/tomcat@6.0.35

Next non-vulnerable version	6.0.50
Latest non-vulnerable version	11.0.21
Risk	4.0

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-fpuc-fe6m-47c6 Aliases: CVE-2012-3546 GHSA-jgm2-m5cg-f66g	org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when FORM authentication is used, allows remote attackers to bypass security-constraint checks by leveraging a previous setUserPrincipal call and then placing /j_security_check at the end of a URI.	6.0.36 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.30 Affected by 0 other vulnerabilities.
VCID-mwk8-b5c9-kbb9 Aliases: CVE-2012-4534	org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.	6.0.36 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.28 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-n76n-ywja-rbhh Aliases: CVE-2012-3439	Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2012-5885, CVE-2012-5886, CVE-2012-5887. Reason: This candidate is a duplicate of CVE-2012-5885, CVE-2012-5886, and CVE-2012-5887. Notes: All CVE users should reference one or more of CVE-2012-5885, CVE-2012-5886, and CVE-2012-5887 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.	6.0.36 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.30 Affected by 0 other vulnerabilities.
VCID-ta1m-dh8x-nubc Aliases: CVE-2012-4431 GHSA-76vr-72mv-mf3q	org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.	6.0.36 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.32 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-vd1s-m27a-8ucc Aliases: CVE-2012-2733	java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not properly restrict the request-header size, which allows remote attackers to cause a denial of service (memory consumption) via a large amount of header data.	6.0.36 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.28 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (3)

Vulnerability	Summary	Aliases
VCID-hhk9-cr54-8fgc	Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.	CVE-2012-0022 GHSA-8h2q-qm9x-55jc
VCID-hxj6-mupf-abbc	Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.	CVE-2011-3375 GHSA-rp8h-vr48-4j8p
VCID-quwu-ep21-cyew	Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.	CVE-2011-3190 GHSA-c38m-v4m2-524v

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:16.990632+00:00	Apache Tomcat Importer	Fixing	VCID-hhk9-cr54-8fgc	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.958767+00:00	Apache Tomcat Importer	Fixing	VCID-quwu-ep21-cyew	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.929547+00:00	Apache Tomcat Importer	Fixing	VCID-hxj6-mupf-abbc	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.901909+00:00	Apache Tomcat Importer	Affected by	VCID-mwk8-b5c9-kbb9	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.873951+00:00	Apache Tomcat Importer	Affected by	VCID-ta1m-dh8x-nubc	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.846701+00:00	Apache Tomcat Importer	Affected by	VCID-fpuc-fe6m-47c6	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.819522+00:00	Apache Tomcat Importer	Affected by	VCID-n76n-ywja-rbhh	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.787793+00:00	Apache Tomcat Importer	Affected by	VCID-vd1s-m27a-8ucc	https://tomcat.apache.org/security-6.html	38.0.0