VulnerableCode Package Details - pkg:apache/tomcat@9.0.0%2BM17

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@9.0.0%2BM17

Essentials
History (2)

purl	pkg:apache/tomcat@9.0.0%2BM17

Next non-vulnerable version	9.0.0+M19
Latest non-vulnerable version	11.0.22
Risk	4.5

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-se44-f85s-xyex Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp	Exposure of Resource to Wrong Sphere Some calls to application listeners in Apache Tomcat did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.	9.0.0+M18 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (1)

Vulnerability	Summary	Aliases
VCID-nndc-pabd-nbgf	Apache Tomcat allows remote attackers to read data that was intended to be associated with a different request An information disclosure issue was discovered in Apache Tomcat 8.5.7 to 8.5.9 and 9.0.0.M11 to 9.0.0.M15 in reverse-proxy configurations. Http11InputBuffer.java allows remote attackers to read data that was intended to be associated with a different request.	CVE-2016-8747 GHSA-fjwp-r6fm-q6qw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T16:25:33.447363+00:00	Apache Tomcat Importer	Fixing	VCID-nndc-pabd-nbgf	https://tomcat.apache.org/security-9.html	38.6.0
2026-06-04T16:25:33.385607+00:00	Apache Tomcat Importer	Affected by	VCID-se44-f85s-xyex	https://tomcat.apache.org/security-9.html	38.6.0