Search for packages
| purl | pkg:apache/tomcat@8.5.38 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-qkx6-32cj-jfbp
Aliases: CVE-2022-29885 GHSA-r84p-88g2-2vx2 |
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-wbaq-j85q-y3c6 | The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. |
CVE-2019-0199
GHSA-qcxh-w3j9-58qr |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:11.330323+00:00 | Apache Tomcat Importer | Fixing | VCID-wbaq-j85q-y3c6 | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:10.385381+00:00 | Apache Tomcat Importer | Affected by | VCID-qkx6-32cj-jfbp | https://tomcat.apache.org/security-8.html | 38.0.0 |