VulnerableCode Package Details - pkg:apache/tomcat@7.0.72

Search for packages

Vulnerability	Summary	Fixed by
VCID-3r3s-q21j-c3au Aliases: CVE-2016-6816 GHSA-jc7p-5r39-9477	The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.	7.0.73 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.0.39 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.5.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-95d1-arxd-hkd1 Aliases: CVE-2016-8735 GHSA-cw54-59pw-4g8c	Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.	7.0.73 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.0.39 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.5.8 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M13 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-3r3s-q21j-c3au
Aliases:
CVE-2016-6816
GHSA-jc7p-5r39-9477

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

7.0.73
Affected by 1 other vulnerability.

8.0.39
Affected by 1 other vulnerability.

8.5.8
Affected by 1 other vulnerability.

9.0.0+M13
Affected by 1 other vulnerability.

VCID-95d1-arxd-hkd1
Aliases:
CVE-2016-8735
GHSA-cw54-59pw-4g8c

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

7.0.73
Affected by 1 other vulnerability.

8.0.39
Affected by 1 other vulnerability.

8.5.8
Affected by 1 other vulnerability.

9.0.0+M13
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-18q4-zark-s7a7	When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.	CVE-2016-6794 GHSA-2rvf-329f-p99g
VCID-3cr9-g81m-4ugy	In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.	CVE-2016-5018 GHSA-4v3g-g84w-hv7r
VCID-3n4t-bvb1-5qer	A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.	CVE-2016-6796 GHSA-3mjp-p938-4329
VCID-kagr-74d9-kyhx	The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.	CVE-2016-0762 GHSA-wxcp-f2c8-x6xv
VCID-xf8r-kqxb-7qdy	The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.	CVE-2016-6797 GHSA-q6x7-f33r-3wxx

Vulnerability

Summary

Aliases

VCID-18q4-zark-s7a7

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

CVE-2016-6794
GHSA-2rvf-329f-p99g

VCID-3cr9-g81m-4ugy

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

CVE-2016-5018
GHSA-4v3g-g84w-hv7r

VCID-3n4t-bvb1-5qer

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

CVE-2016-6796
GHSA-3mjp-p938-4329

VCID-kagr-74d9-kyhx

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

CVE-2016-0762
GHSA-wxcp-f2c8-x6xv

VCID-xf8r-kqxb-7qdy

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

CVE-2016-6797
GHSA-q6x7-f33r-3wxx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:14.430772+00:00	Apache Tomcat Importer	Fixing	VCID-kagr-74d9-kyhx	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.399429+00:00	Apache Tomcat Importer	Fixing	VCID-3cr9-g81m-4ugy	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.369772+00:00	Apache Tomcat Importer	Fixing	VCID-18q4-zark-s7a7	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.339121+00:00	Apache Tomcat Importer	Fixing	VCID-3n4t-bvb1-5qer	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.312519+00:00	Apache Tomcat Importer	Fixing	VCID-xf8r-kqxb-7qdy	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.284946+00:00	Apache Tomcat Importer	Affected by	VCID-3r3s-q21j-c3au	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.253768+00:00	Apache Tomcat Importer	Affected by	VCID-95d1-arxd-hkd1	https://tomcat.apache.org/security-7.html	38.0.0