VulnerableCode Package Details - pkg:apache/tomcat@7.0.73

Search for packages

Vulnerability	Summary	Fixed by
VCID-hves-r5bg-yfes Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq	A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.	7.0.75 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.0.41 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.5.9 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M15 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hves-r5bg-yfes
Aliases:
CVE-2016-8745
GHSA-w3j5-q8f2-3cqq

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

7.0.75
Affected by 1 other vulnerability.

8.0.41
Affected by 1 other vulnerability.

8.5.9
Affected by 1 other vulnerability.

9.0.0+M15
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-3r3s-q21j-c3au	The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.	CVE-2016-6816 GHSA-jc7p-5r39-9477
VCID-95d1-arxd-hkd1	Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.	CVE-2016-8735 GHSA-cw54-59pw-4g8c

Vulnerability

Summary

Aliases

VCID-3r3s-q21j-c3au

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

CVE-2016-6816
GHSA-jc7p-5r39-9477

VCID-95d1-arxd-hkd1

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVE-2016-8735
GHSA-cw54-59pw-4g8c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:14.286868+00:00	Apache Tomcat Importer	Fixing	VCID-3r3s-q21j-c3au	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.256570+00:00	Apache Tomcat Importer	Fixing	VCID-95d1-arxd-hkd1	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.222317+00:00	Apache Tomcat Importer	Affected by	VCID-hves-r5bg-yfes	https://tomcat.apache.org/security-7.html	38.0.0