VulnerableCode Package Details - pkg:apache/tomcat@7.0.94

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4aaa-errb-2qdw	When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).	CVE-2019-0232 GHSA-8vmx-qmch-mpqg
VCID-arkn-bca7-hqam	The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.	CVE-2019-0221 GHSA-jjpq-gp5q-8q6w

Vulnerability

Summary

Aliases

VCID-4aaa-errb-2qdw

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

CVE-2019-0232
GHSA-8vmx-qmch-mpqg

VCID-arkn-bca7-hqam

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

CVE-2019-0221
GHSA-jjpq-gp5q-8q6w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:13.769303+00:00	Apache Tomcat Importer	Fixing	VCID-arkn-bca7-hqam	https://tomcat.apache.org/security-7.html	38.0.0
2026-04-01T12:38:13.738772+00:00	Apache Tomcat Importer	Fixing	VCID-4aaa-errb-2qdw	https://tomcat.apache.org/security-7.html	38.0.0

2026-04-01T12:38:13.769303+00:00

Apache Tomcat Importer

Fixing

VCID-arkn-bca7-hqam

https://tomcat.apache.org/security-7.html

38.0.0

2026-04-01T12:38:13.738772+00:00

Apache Tomcat Importer

Fixing

VCID-4aaa-errb-2qdw

https://tomcat.apache.org/security-7.html

38.0.0