VulnerableCode Package Details - pkg:apache/tomcat@7.0.20

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@7.0.20

Essentials
History (2)

purl	pkg:apache/tomcat@7.0.20

Next non-vulnerable version	7.0.30
Latest non-vulnerable version	11.0.21
Risk	4.0

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-quwu-ep21-cyew Aliases: CVE-2011-3190 GHSA-c38m-v4m2-524v	Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.	7.0.21 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-618c-ar98-qfcr	native/unix/native/jsvc-unix.c in jsvc in the Daemon component 1.0.3 through 1.0.6 in Apache Commons, as used in Apache Tomcat 5.5.32 through 5.5.33, 6.0.30 through 6.0.32, and 7.0.x before 7.0.20 on Linux, does not drop capabilities, which allows remote attackers to bypass read permissions for files via a request to an application.	CVE-2011-2729

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:15.509894+00:00	Apache Tomcat Importer	Fixing	VCID-618c-ar98-qfcr	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:15.480057+00:00	Apache Tomcat Importer	Affected by	VCID-quwu-ep21-cyew	https://tomcat.apache.org/security-7.html	38.0.0