Search for packages
| purl | pkg:apache/tomcat@8.0.0%2BRC1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18q4-zark-s7a7
Aliases: CVE-2016-6794 GHSA-2rvf-329f-p99g |
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-1k8f-vsg1-k3d6
Aliases: CVE-2016-0706 GHSA-6vx3-hr43-cfrh |
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-2sbh-sy57-3uez
Aliases: CVE-2018-1304 GHSA-6rxj-58jh-436r |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-3cr9-g81m-4ugy
Aliases: CVE-2016-5018 GHSA-4v3g-g84w-hv7r |
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-3n4t-bvb1-5qer
Aliases: CVE-2016-6796 GHSA-3mjp-p938-4329 |
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-3r3s-q21j-c3au
Aliases: CVE-2016-6816 GHSA-jc7p-5r39-9477 |
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-68fk-4g86-ekbp
Aliases: CVE-2015-5345 GHSA-rh8q-vjgf-gf74 |
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-95d1-arxd-hkd1
Aliases: CVE-2016-8735 GHSA-cw54-59pw-4g8c |
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-9exq-fhv6-bbea
Aliases: CVE-2016-0763 GHSA-9hjv-9h75-xmpp |
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-aeeu-fpay-wufz
Aliases: CVE-2018-1336 GHSA-m59c-jpc8-m2x4 |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. |
Affected by 2 other vulnerabilities. Affected by 3 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-enaj-f97c-jbh7
Aliases: CVE-2017-7674 GHSA-73rx-3f9r-x949 |
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-fyfz-6tr5-2fc7
Aliases: CVE-2017-5664 GHSA-jmvv-524f-hj5j |
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. |
Affected by 1 other vulnerability. Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-g7bk-891a-uufy
Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5 |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-hmbm-5ysw-77bu
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. |
Affected by 1 other vulnerability. Affected by 3 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-hves-r5bg-yfes
Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq |
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-kagr-74d9-kyhx
Aliases: CVE-2016-0762 GHSA-wxcp-f2c8-x6xv |
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
|
VCID-kyb8-rvyw-s7b1
Aliases: CVE-2015-5346 GHSA-jrcp-c39h-r29x |
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-m1zd-uytj-3bej
Aliases: CVE-2017-5647 GHSA-3gv7-3h64-78cm |
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-m2zn-ja8d-7kg8
Aliases: CVE-2018-8034 GHSA-46j3-r4pj-4835 |
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-n3zn-tuck-gkfe
Aliases: CVE-2018-8014 GHSA-r4x2-3cq5-hqvp |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-pqxe-tfhk-47b7
Aliases: CVE-2016-3092 GHSA-fvm3-cfvj-gxqq |
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. |
Affected by 5 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-tfrs-d458-tfaq
Aliases: CVE-2016-0714 GHSA-mv42-px54-87jw |
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-vdnj-sqmx-e3ep
Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5 |
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-vhjj-dnft-kkf4
Aliases: CVE-2015-5351 GHSA-w7cg-5969-678w |
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
|
VCID-xf8r-kqxb-7qdy
Aliases: CVE-2016-6797 GHSA-q6x7-f33r-3wxx |
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:12.943516+00:00 | Apache Tomcat Importer | Affected by | VCID-68fk-4g86-ekbp | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.913113+00:00 | Apache Tomcat Importer | Affected by | VCID-9exq-fhv6-bbea | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.885749+00:00 | Apache Tomcat Importer | Affected by | VCID-tfrs-d458-tfaq | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.856524+00:00 | Apache Tomcat Importer | Affected by | VCID-1k8f-vsg1-k3d6 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.829657+00:00 | Apache Tomcat Importer | Affected by | VCID-vhjj-dnft-kkf4 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.797586+00:00 | Apache Tomcat Importer | Affected by | VCID-kyb8-rvyw-s7b1 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.730926+00:00 | Apache Tomcat Importer | Affected by | VCID-pqxe-tfhk-47b7 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.672214+00:00 | Apache Tomcat Importer | Affected by | VCID-kagr-74d9-kyhx | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.603745+00:00 | Apache Tomcat Importer | Affected by | VCID-3cr9-g81m-4ugy | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.544567+00:00 | Apache Tomcat Importer | Affected by | VCID-18q4-zark-s7a7 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.479779+00:00 | Apache Tomcat Importer | Affected by | VCID-3n4t-bvb1-5qer | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.411880+00:00 | Apache Tomcat Importer | Affected by | VCID-xf8r-kqxb-7qdy | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.294556+00:00 | Apache Tomcat Importer | Affected by | VCID-3r3s-q21j-c3au | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.266459+00:00 | Apache Tomcat Importer | Affected by | VCID-95d1-arxd-hkd1 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.181986+00:00 | Apache Tomcat Importer | Affected by | VCID-hves-r5bg-yfes | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.123681+00:00 | Apache Tomcat Importer | Affected by | VCID-hmbm-5ysw-77bu | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.008350+00:00 | Apache Tomcat Importer | Affected by | VCID-m1zd-uytj-3bej | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.946127+00:00 | Apache Tomcat Importer | Affected by | VCID-fyfz-6tr5-2fc7 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.855729+00:00 | Apache Tomcat Importer | Affected by | VCID-enaj-f97c-jbh7 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.791220+00:00 | Apache Tomcat Importer | Affected by | VCID-vdnj-sqmx-e3ep | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.636875+00:00 | Apache Tomcat Importer | Affected by | VCID-2sbh-sy57-3uez | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.605553+00:00 | Apache Tomcat Importer | Affected by | VCID-g7bk-891a-uufy | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.540354+00:00 | Apache Tomcat Importer | Affected by | VCID-aeeu-fpay-wufz | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.417299+00:00 | Apache Tomcat Importer | Affected by | VCID-n3zn-tuck-gkfe | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:11.389417+00:00 | Apache Tomcat Importer | Affected by | VCID-m2zn-ja8d-7kg8 | https://tomcat.apache.org/security-8.html | 38.0.0 |