VulnerableCode Package Details - pkg:apache/tomcat@8.0.41

Search for packages

Vulnerability	Summary	Fixed by
VCID-hmbm-5ysw-77bu Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp	While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.	8.0.42 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 8.5.12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.0+M18 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-hmbm-5ysw-77bu
Aliases:
CVE-2017-5648
GHSA-3vx3-xf6q-r5xp

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

8.0.42
Affected by 1 other vulnerability.

8.5.12
Affected by 3 other vulnerabilities.

9.0.0+M18
Affected by 3 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-hves-r5bg-yfes	A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.	CVE-2016-8745 GHSA-w3j5-q8f2-3cqq

Vulnerability

Summary

Aliases

VCID-hves-r5bg-yfes

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

CVE-2016-8745
GHSA-w3j5-q8f2-3cqq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:12.186271+00:00	Apache Tomcat Importer	Fixing	VCID-hves-r5bg-yfes	https://tomcat.apache.org/security-8.html	38.0.0
2026-04-01T12:38:12.126231+00:00	Apache Tomcat Importer	Affected by	VCID-hmbm-5ysw-77bu	https://tomcat.apache.org/security-8.html	38.0.0

2026-04-01T12:38:12.186271+00:00

Apache Tomcat Importer

Fixing

VCID-hves-r5bg-yfes

https://tomcat.apache.org/security-8.html

38.0.0

2026-04-01T12:38:12.126231+00:00

Apache Tomcat Importer

Affected by

VCID-hmbm-5ysw-77bu

https://tomcat.apache.org/security-8.html

38.0.0

Next non-vulnerable version	8.0.48
Latest non-vulnerable version	11.0.21
Risk	4.5