VulnerableCode Package Details - pkg:apache/tomcat@7.0.79

Search for packages

Vulnerability	Summary	Fixed by
VCID-q6hm-mmfs-zka5 Aliases: CVE-2017-12615 GHSA-pjfr-qf3p-3q25	When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	7.0.81 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-qbfw-16rt-qyc7 Aliases: CVE-2017-15706 GHSA-372q-33vh-8mpc	As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.	7.0.84 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 8.0.48 Affected by 0 other vulnerabilities. 8.5.24 Affected by 0 other vulnerabilities. 9.0.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-q6hm-mmfs-zka5
Aliases:
CVE-2017-12615
GHSA-pjfr-qf3p-3q25

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

7.0.81
Affected by 1 other vulnerability.

VCID-qbfw-16rt-qyc7
Aliases:
CVE-2017-15706
GHSA-372q-33vh-8mpc

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.

7.0.84
Affected by 2 other vulnerabilities.

8.0.48
Affected by 0 other vulnerabilities.

8.5.24
Affected by 0 other vulnerabilities.

9.0.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-enaj-f97c-jbh7	The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.	CVE-2017-7674 GHSA-73rx-3f9r-x949

Vulnerability

Summary

Aliases

VCID-enaj-f97c-jbh7

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

CVE-2017-7674
GHSA-73rx-3f9r-x949

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:14.102433+00:00	Apache Tomcat Importer	Fixing	VCID-enaj-f97c-jbh7	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:14.070908+00:00	Apache Tomcat Importer	Affected by	VCID-q6hm-mmfs-zka5	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:13.969828+00:00	Apache Tomcat Importer	Affected by	VCID-qbfw-16rt-qyc7	https://tomcat.apache.org/security-7.html	38.0.0