VulnerableCode Package Details - pkg:apache/tomcat@6.0.9

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@6.0.9

Essentials
History (2)

purl	pkg:apache/tomcat@6.0.9

Next non-vulnerable version	6.0.11
Latest non-vulnerable version	11.0.21
Risk	10.0

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-87p8-zvvf-y7dm Aliases: CVE-2007-0450 GHSA-4prh-gqw8-rgh5	Directory traversal vulnerability in Apache HTTP Server and Tomcat 5.x before 5.5.22 and 6.x before 6.0.10, when using certain proxy modules (mod_proxy, mod_rewrite, mod_jk), allows remote attackers to read arbitrary files via a .. (dot dot) sequence with combinations of (1) "/" (slash), (2) "\" (backslash), and (3) URL-encoded backslash (%5C) characters in the URL, which are valid separators in Tomcat but not in Apache.	6.0.10 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-qdck-q54n-rkcv	The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.	CVE-2008-0128

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:18.060029+00:00	Apache Tomcat Importer	Fixing	VCID-qdck-q54n-rkcv	https://tomcat.apache.org/security-6.html	38.0.0
2026-04-01T12:38:18.029068+00:00	Apache Tomcat Importer	Affected by	VCID-87p8-zvvf-y7dm	https://tomcat.apache.org/security-6.html	38.0.0