Search for packages
| purl | pkg:apache/tomcat@8.5.83 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-stds-vw5z-auhp
Aliases: CVE-2022-45143 GHSA-rq2w-37h9-vg94 |
The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output. |
Affected by 1 other vulnerability. Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-nmq2-8ysj-4fbc | If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. |
CVE-2022-42252
GHSA-p22x-g9px-3945 |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:10.327059+00:00 | Apache Tomcat Importer | Fixing | VCID-nmq2-8ysj-4fbc | https://tomcat.apache.org/security-8.html | 38.0.0 |
| 2026-04-01T12:38:10.295016+00:00 | Apache Tomcat Importer | Affected by | VCID-stds-vw5z-auhp | https://tomcat.apache.org/security-8.html | 38.0.0 |