Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:apache/tomcat@7.0.90
purl pkg:apache/tomcat@7.0.90
Next non-vulnerable version 7.0.91
Latest non-vulnerable version 11.0.21
Risk 10.0
Vulnerabilities affecting this package (1)
Vulnerability Summary Fixed by
VCID-f77q-v5xp-e7dy
Aliases:
CVE-2018-11784
GHSA-5q99-f34m-67gc
When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice.
7.0.91
Affected by 0 other vulnerabilities.
8.5.34
Affected by 0 other vulnerabilities.
9.0.12
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (1)
Vulnerability Summary Aliases
VCID-m2zn-ja8d-7kg8 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. CVE-2018-8034
GHSA-46j3-r4pj-4835

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T12:38:13.829156+00:00 Apache Tomcat Importer Fixing VCID-m2zn-ja8d-7kg8 https://tomcat.apache.org/security-7.html 38.0.0
2026-04-01T12:38:13.798067+00:00 Apache Tomcat Importer Affected by VCID-f77q-v5xp-e7dy https://tomcat.apache.org/security-7.html 38.0.0