VulnerableCode Package Details - pkg:apache/tomcat@7.0.11

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@7.0.11

Essentials
History (4)

purl	pkg:apache/tomcat@7.0.11

Next non-vulnerable version	7.0.14
Latest non-vulnerable version	11.0.21
Risk	4.0

Vulnerabilities affecting this package (3)

Vulnerability	Summary	Fixed by
VCID-5eqm-218u-p7gq Aliases: CVE-2011-1475 GHSA-h6c8-rg87-f3pc	The HTTP BIO connector in Apache Tomcat 7.0.x before 7.0.12 does not properly handle HTTP pipelining, which allows remote attackers to read responses intended for other clients in opportunistic circumstances by examining the application data in HTTP packets, related to "a mix-up of responses for requests from different users."	7.0.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-d9ys-kxh6-nkgr Aliases: CVE-2011-1184 GHSA-q9xf-jwr4-v445	The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.	7.0.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-rhg2-n93w-tqeu Aliases: CVE-2011-1183 GHSA-p26v-97vp-jcx6	Apache Tomcat 7.0.11, when web.xml has no login configuration, does not follow security constraints, which allows remote attackers to bypass intended access restrictions via HTTP requests to a meta-data complete web application. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-1088 and CVE-2011-1419.	7.0.12 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-95fn-d2ad-qyg6	Apache Tomcat 7.x before 7.0.10 does not follow ServletSecurity annotations, which allows remote attackers to bypass intended access restrictions via HTTP requests to a web application.	CVE-2011-1088 GHSA-mg4v-rf8p-ghqq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:15.766220+00:00	Apache Tomcat Importer	Fixing	VCID-95fn-d2ad-qyg6	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:15.728880+00:00	Apache Tomcat Importer	Affected by	VCID-rhg2-n93w-tqeu	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:15.702933+00:00	Apache Tomcat Importer	Affected by	VCID-d9ys-kxh6-nkgr	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:15.669594+00:00	Apache Tomcat Importer	Affected by	VCID-5eqm-218u-p7gq	https://tomcat.apache.org/security-7.html	38.0.0