Search for packages
| purl | pkg:apache/tomcat@9.0.0%2BM9 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7fh9-36qs-jfg5
Aliases: CVE-2016-5018 GHSA-4v3g-g84w-hv7r |
Improper Access Control In Apache Tomcat, a malicious web application was able to bypass a configured `SecurityManager` via a Tomcat utility method that was accessible to web applications. | There are no reported fixed by versions. |
|
VCID-8xdc-3kn9-b3e6
Aliases: CVE-2018-8037 GHSA-6v52-mj5r-7j2m |
Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition) Tomcat contains a race condition that could result in a user seeing a response intended for a different user. |
Affected by 0 other vulnerabilities. |
|
VCID-axzz-cadr-b7fv
Aliases: CVE-2016-6794 GHSA-2rvf-329f-p99g |
Information Exposure When a `SecurityManager` is configured, a web application's ability to read system properties should be controlled by the `SecurityManager`. In Apache Tomcat, the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. | There are no reported fixed by versions. |
|
VCID-jzta-navk-87bn
Aliases: CVE-2016-6797 GHSA-q6x7-f33r-3wxx |
Incorrect Authorization The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 does not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. | There are no reported fixed by versions. |
|
VCID-s37s-p75k-27e6
Aliases: CVE-2016-6796 GHSA-3mjp-p938-4329 |
Apache Tomcat vulnerable to SecurityManager bypass A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. | There are no reported fixed by versions. |
|
VCID-tcmv-6ftg-fqen
Aliases: CVE-2016-0762 GHSA-wxcp-f2c8-x6xv |
Information Exposure Through Timing Discrepancy The Realm implementations in Apache Tomcat does not process the supplied password if the supplied user name did not exist which makes it possible to use a timing attack to determine valid user names. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-04T16:25:33.962633+00:00 | Apache Tomcat Importer | Affected by | VCID-tcmv-6ftg-fqen | https://tomcat.apache.org/security-9.html | 38.6.0 |
| 2026-06-04T16:25:33.906847+00:00 | Apache Tomcat Importer | Affected by | VCID-7fh9-36qs-jfg5 | https://tomcat.apache.org/security-9.html | 38.6.0 |
| 2026-06-04T16:25:33.850831+00:00 | Apache Tomcat Importer | Affected by | VCID-axzz-cadr-b7fv | https://tomcat.apache.org/security-9.html | 38.6.0 |
| 2026-06-04T16:25:33.795805+00:00 | Apache Tomcat Importer | Affected by | VCID-s37s-p75k-27e6 | https://tomcat.apache.org/security-9.html | 38.6.0 |
| 2026-06-04T16:25:33.734832+00:00 | Apache Tomcat Importer | Affected by | VCID-jzta-navk-87bn | https://tomcat.apache.org/security-9.html | 38.6.0 |
| 2026-06-04T16:25:32.632049+00:00 | Apache Tomcat Importer | Affected by | VCID-8xdc-3kn9-b3e6 | https://tomcat.apache.org/security-9.html | 38.6.0 |