VulnerableCode Package Details - pkg:apache/tomcat@8.5.40

Search for packages

Vulnerability	Summary	Fixed by
VCID-39e3-jfbg-s3hk Aliases: CVE-2019-10072 GHSA-q4hg-rmq2-52q9	The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.	8.5.41 Affected by 0 other vulnerabilities. 9.0.20 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-39e3-jfbg-s3hk
Aliases:
CVE-2019-10072
GHSA-q4hg-rmq2-52q9

The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

8.5.41
Affected by 0 other vulnerabilities.

9.0.20
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-4aaa-errb-2qdw	When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).	CVE-2019-0232 GHSA-8vmx-qmch-mpqg
VCID-arkn-bca7-hqam	The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.	CVE-2019-0221 GHSA-jjpq-gp5q-8q6w

Vulnerability

Summary

Aliases

VCID-4aaa-errb-2qdw

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

CVE-2019-0232
GHSA-8vmx-qmch-mpqg

VCID-arkn-bca7-hqam

The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.

CVE-2019-0221
GHSA-jjpq-gp5q-8q6w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:11.286036+00:00	Apache Tomcat Importer	Fixing	VCID-arkn-bca7-hqam	https://tomcat.apache.org/security-8.html	38.0.0
2026-04-01T12:38:11.258360+00:00	Apache Tomcat Importer	Fixing	VCID-4aaa-errb-2qdw	https://tomcat.apache.org/security-8.html	38.0.0
2026-04-01T12:38:11.227261+00:00	Apache Tomcat Importer	Affected by	VCID-39e3-jfbg-s3hk	https://tomcat.apache.org/security-8.html	38.0.0