VulnerableCode Package Details - pkg:apache/tomcat@7.0.68

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1k8f-vsg1-k3d6	Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.	CVE-2016-0706 GHSA-6vx3-hr43-cfrh
VCID-68fk-4g86-ekbp	The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.	CVE-2015-5345 GHSA-rh8q-vjgf-gf74
VCID-9exq-fhv6-bbea	The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.	CVE-2016-0763 GHSA-9hjv-9h75-xmpp
VCID-tfrs-d458-tfaq	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.	CVE-2016-0714 GHSA-mv42-px54-87jw
VCID-vhjj-dnft-kkf4	The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.	CVE-2015-5351 GHSA-w7cg-5969-678w

Vulnerability

Summary

Aliases

VCID-1k8f-vsg1-k3d6

Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

CVE-2016-0706
GHSA-6vx3-hr43-cfrh

VCID-68fk-4g86-ekbp

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

CVE-2015-5345
GHSA-rh8q-vjgf-gf74

VCID-9exq-fhv6-bbea

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

CVE-2016-0763
GHSA-9hjv-9h75-xmpp

VCID-tfrs-d458-tfaq

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

CVE-2016-0714
GHSA-mv42-px54-87jw

VCID-vhjj-dnft-kkf4

The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

CVE-2015-5351
GHSA-w7cg-5969-678w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:14.621257+00:00	Apache Tomcat Importer	Fixing	VCID-9exq-fhv6-bbea	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.589091+00:00	Apache Tomcat Importer	Fixing	VCID-tfrs-d458-tfaq	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.557862+00:00	Apache Tomcat Importer	Fixing	VCID-1k8f-vsg1-k3d6	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.527446+00:00	Apache Tomcat Importer	Fixing	VCID-vhjj-dnft-kkf4	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.494467+00:00	Apache Tomcat Importer	Fixing	VCID-68fk-4g86-ekbp	https://tomcat.apache.org/security-7.html	38.0.0