VulnerableCode Package Details - pkg:apache/tomcat@7.0.19

Search for packages

Vulnerability	Summary	Fixed by
VCID-618c-ar98-qfcr Aliases: CVE-2011-2729	native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.	7.0.20 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-618c-ar98-qfcr
Aliases:
CVE-2011-2729

native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.

7.0.20
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-241m-q6vd-kudk	Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.	CVE-2011-2526 GHSA-9ggm-7897-x4mg
VCID-mctd-9zgv-5qgp	Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.	CVE-2011-2204 GHSA-c57p-3v2g-w9rg
VCID-xqrn-wuv5-x7de	Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.	CVE-2011-2481 GHSA-r7c8-hghc-2mp8

Vulnerability

Summary

Aliases

VCID-241m-q6vd-kudk

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.

CVE-2011-2526
GHSA-9ggm-7897-x4mg

VCID-mctd-9zgv-5qgp

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

CVE-2011-2204
GHSA-c57p-3v2g-w9rg

VCID-xqrn-wuv5-x7de

Apache Tomcat 7.0.x before 7.0.17 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application. NOTE: this vulnerability exists because of a CVE-2009-0783 regression.

CVE-2011-2481
GHSA-r7c8-hghc-2mp8

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:15.604361+00:00	Apache Tomcat Importer	Fixing	VCID-xqrn-wuv5-x7de	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:15.576356+00:00	Apache Tomcat Importer	Fixing	VCID-mctd-9zgv-5qgp	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:15.542906+00:00	Apache Tomcat Importer	Fixing	VCID-241m-q6vd-kudk	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:15.508162+00:00	Apache Tomcat Importer	Affected by	VCID-618c-ar98-qfcr	https://tomcat.apache.org/security-7.html	38.0.0