VulnerableCode Package Details - pkg:apache/tomcat@9.0.0%2BM22

Search for packages

Vulnerability	Summary	Fixed by
VCID-qbfw-16rt-qyc7 Aliases: CVE-2017-15706 GHSA-372q-33vh-8mpc	As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.	9.0.2 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-qbfw-16rt-qyc7
Aliases:
CVE-2017-15706
GHSA-372q-33vh-8mpc

As part of the fix for bug 61201, the documentation for Apache Tomcat 9.0.0.M22 to 9.0.1, 8.5.16 to 8.5.23, 8.0.45 to 8.0.47 and 7.0.79 to 7.0.82 included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected.

9.0.2
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-4tf3-7f5b-2ffu	The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.	CVE-2017-7675 GHSA-68g5-8q7f-m384
VCID-enaj-f97c-jbh7	The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.	CVE-2017-7674 GHSA-73rx-3f9r-x949

Vulnerability

Summary

Aliases

VCID-4tf3-7f5b-2ffu

The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M21 and 8.5.0 to 8.5.15 bypassed a number of security checks that prevented directory traversal attacks. It was therefore possible to bypass security constraints using a specially crafted URL.

CVE-2017-7675
GHSA-68g5-8q7f-m384

VCID-enaj-f97c-jbh7

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

CVE-2017-7674
GHSA-73rx-3f9r-x949

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:38:09.207127+00:00	Apache Tomcat Importer	Fixing	VCID-enaj-f97c-jbh7	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:09.179675+00:00	Apache Tomcat Importer	Fixing	VCID-4tf3-7f5b-2ffu	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:09.099695+00:00	Apache Tomcat Importer	Affected by	VCID-qbfw-16rt-qyc7	https://tomcat.apache.org/security-9.html	38.0.0