VulnerableCode Package Details - pkg:apache/tomcat@9.0.0%2BM10

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-18q4-zark-s7a7	When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.	CVE-2016-6794 GHSA-2rvf-329f-p99g
VCID-3cr9-g81m-4ugy	In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.	CVE-2016-5018 GHSA-4v3g-g84w-hv7r
VCID-3n4t-bvb1-5qer	A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.	CVE-2016-6796 GHSA-3mjp-p938-4329
VCID-kagr-74d9-kyhx	The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.	CVE-2016-0762 GHSA-wxcp-f2c8-x6xv
VCID-xf8r-kqxb-7qdy	The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.	CVE-2016-6797 GHSA-q6x7-f33r-3wxx

Vulnerability

Summary

Aliases

VCID-18q4-zark-s7a7

When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

CVE-2016-6794
GHSA-2rvf-329f-p99g

VCID-3cr9-g81m-4ugy

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

CVE-2016-5018
GHSA-4v3g-g84w-hv7r

VCID-3n4t-bvb1-5qer

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

CVE-2016-6796
GHSA-3mjp-p938-4329

VCID-kagr-74d9-kyhx

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

CVE-2016-0762
GHSA-wxcp-f2c8-x6xv

VCID-xf8r-kqxb-7qdy

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

CVE-2016-6797
GHSA-q6x7-f33r-3wxx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:09.692808+00:00	Apache Tomcat Importer	Fixing	VCID-kagr-74d9-kyhx	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:09.659452+00:00	Apache Tomcat Importer	Fixing	VCID-3cr9-g81m-4ugy	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:09.627539+00:00	Apache Tomcat Importer	Fixing	VCID-18q4-zark-s7a7	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:09.594529+00:00	Apache Tomcat Importer	Fixing	VCID-3n4t-bvb1-5qer	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:09.560912+00:00	Apache Tomcat Importer	Fixing	VCID-xf8r-kqxb-7qdy	https://tomcat.apache.org/security-9.html	38.0.0