VulnerableCode Package Details - pkg:apache/tomcat@6.0.45

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@6.0.45

Essentials
History (9)

purl	pkg:apache/tomcat@6.0.45

Next non-vulnerable version	6.0.50
Latest non-vulnerable version	11.0.21
Risk	4.5

Vulnerabilities affecting this package (5)

Vulnerability	Summary	Fixed by
VCID-18q4-zark-s7a7 Aliases: CVE-2016-6794 GHSA-2rvf-329f-p99g	When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.	6.0.47 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.72 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.37 Affected by 0 other vulnerabilities. 8.5.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M10 Affected by 0 other vulnerabilities.
VCID-3cr9-g81m-4ugy Aliases: CVE-2016-5018 GHSA-4v3g-g84w-hv7r	In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.	6.0.47 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.72 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.37 Affected by 0 other vulnerabilities. 8.5.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M10 Affected by 0 other vulnerabilities.
VCID-3n4t-bvb1-5qer Aliases: CVE-2016-6796 GHSA-3mjp-p938-4329	A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.	6.0.47 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.72 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.37 Affected by 0 other vulnerabilities. 8.5.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M10 Affected by 0 other vulnerabilities.
VCID-kagr-74d9-kyhx Aliases: CVE-2016-0762 GHSA-wxcp-f2c8-x6xv	The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.	6.0.47 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.72 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.37 Affected by 0 other vulnerabilities. 8.5.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M10 Affected by 0 other vulnerabilities.
VCID-xf8r-kqxb-7qdy Aliases: CVE-2016-6797 GHSA-q6x7-f33r-3wxx	The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.	6.0.47 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 7.0.72 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.37 Affected by 0 other vulnerabilities. 8.5.5 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M10 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (4)

Vulnerability	Summary	Aliases
VCID-1k8f-vsg1-k3d6	Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.	CVE-2016-0706 GHSA-6vx3-hr43-cfrh
VCID-68fk-4g86-ekbp	The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.	CVE-2015-5345 GHSA-rh8q-vjgf-gf74
VCID-p6ch-pc73-b3ck	Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.	CVE-2015-5174 GHSA-6qr6-x7jm-x2q6
VCID-tfrs-d458-tfaq	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.	CVE-2016-0714 GHSA-mv42-px54-87jw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:16.334627+00:00	Apache Tomcat Importer	Fixing	VCID-tfrs-d458-tfaq	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.305108+00:00	Apache Tomcat Importer	Fixing	VCID-1k8f-vsg1-k3d6	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.276297+00:00	Apache Tomcat Importer	Fixing	VCID-68fk-4g86-ekbp	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.246456+00:00	Apache Tomcat Importer	Fixing	VCID-p6ch-pc73-b3ck	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.212676+00:00	Apache Tomcat Importer	Affected by	VCID-kagr-74d9-kyhx	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.180917+00:00	Apache Tomcat Importer	Affected by	VCID-3cr9-g81m-4ugy	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.151117+00:00	Apache Tomcat Importer	Affected by	VCID-18q4-zark-s7a7	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.122108+00:00	Apache Tomcat Importer	Affected by	VCID-3n4t-bvb1-5qer	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:16.091924+00:00	Apache Tomcat Importer	Affected by	VCID-xf8r-kqxb-7qdy	https://tomcat.apache.org/security-6.html	38.0.0