Search for packages
| purl | pkg:apache/tomcat@8.0.0-RC1 |
| Next non-vulnerable version | 8.0.0-RC10 |
| Latest non-vulnerable version | 11.0.21 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4mkw-7haq-pkgn
Aliases: CVE-2014-0230 GHSA-pxcx-cxq8-4mmw |
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts. |
Affected by 0 other vulnerabilities. |
|
VCID-7cpu-h5fr-8ffd
Aliases: CVE-2014-7810 GHSA-4c43-cwvx-9crh |
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. |
Affected by 0 other vulnerabilities. |
|
VCID-a1by-zvtm-akdc
Aliases: CVE-2014-0227 GHSA-42j3-498q-m6vp |
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. |
Affected by 0 other vulnerabilities. |
|
VCID-gv12-4ruf-kfhq
Aliases: CVE-2014-0050 GHSA-xx68-jfcg-xmmf |
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. |
Affected by 4 other vulnerabilities. |
|
VCID-jf7u-dvpd-b7f4
Aliases: CVE-2014-0119 GHSA-prc3-7f44-w48j |
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. |
Affected by 2 other vulnerabilities. |
|
VCID-kgd1-bzst-muh7
Aliases: CVE-2014-0096 GHSA-qprx-q2r7-3rx6 |
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Affected by 1 other vulnerability. |
|
VCID-kzzv-rhya-j7dd
Aliases: CVE-2014-0075 GHSA-475f-74wp-pqv5 |
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. |
Affected by 1 other vulnerability. |
|
VCID-p6ch-pc73-b3ck
Aliases: CVE-2015-5174 GHSA-6qr6-x7jm-x2q6 |
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. |
Affected by 0 other vulnerabilities. |
|
VCID-tcbc-3kgt-muam
Aliases: CVE-2013-4322 GHSA-wq2p-q66w-q8gp |
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. |
Affected by 0 other vulnerabilities. |
|
VCID-w82a-7kk2-p3f1
Aliases: CVE-2013-4590 GHSA-87w9-x2c3-hrjj |
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain "Tomcat internals" information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Affected by 0 other vulnerabilities. |
|
VCID-ygvw-69am-s7ae
Aliases: CVE-2014-0099 GHSA-xh5x-j8jf-pcpx |
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:13.346463+00:00 | Apache Tomcat Importer | Affected by | VCID-w82a-7kk2-p3f1 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.313189+00:00 | Apache Tomcat Importer | Affected by | VCID-tcbc-3kgt-muam | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.280919+00:00 | Apache Tomcat Importer | Affected by | VCID-gv12-4ruf-kfhq | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.254683+00:00 | Apache Tomcat Importer | Affected by | VCID-ygvw-69am-s7ae | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.226084+00:00 | Apache Tomcat Importer | Affected by | VCID-kgd1-bzst-muh7 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.164699+00:00 | Apache Tomcat Importer | Affected by | VCID-kzzv-rhya-j7dd | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.131837+00:00 | Apache Tomcat Importer | Affected by | VCID-jf7u-dvpd-b7f4 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.094022+00:00 | Apache Tomcat Importer | Affected by | VCID-4mkw-7haq-pkgn | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.052025+00:00 | Apache Tomcat Importer | Affected by | VCID-a1by-zvtm-akdc | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:13.014195+00:00 | Apache Tomcat Importer | Affected by | VCID-7cpu-h5fr-8ffd | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:12.979577+00:00 | Apache Tomcat Importer | Affected by | VCID-p6ch-pc73-b3ck | https://tomcat.apache.org/security-8.html | 38.0.0 |