VulnerableCode Package Details - pkg:apache/tomcat@9.0.13

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:apache/tomcat@9.0.13

Essentials
History (4)

purl	pkg:apache/tomcat@9.0.13

Next non-vulnerable version	9.0.16
Latest non-vulnerable version	11.0.21
Risk	10.0

Vulnerabilities affecting this package (4)

Vulnerability	Summary	Fixed by
VCID-3vdn-j7sj-dfdn Aliases: CVE-2024-38286 GHSA-7jqf-v358-p8g7	Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.13 through 9.0.89. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.35 through 8.5.100 and 7.0.92 through 7.0.109. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M21, 10.1.25, or 9.0.90, which fixes the issue. Apache Tomcat, under certain configurations on any platform, allows an attacker to cause an OutOfMemoryError by abusing the TLS handshake process.	9.0.90 Affected by 0 other vulnerabilities. 10.1.25 Affected by 0 other vulnerabilities. 11.0.0-M21 Affected by 0 other vulnerabilities.
VCID-d1fm-vbd1-n7au Aliases: CVE-2026-34487 GHSA-x4m4-345f-5h5g		9.0.117 Affected by 0 other vulnerabilities. 10.1.54 Affected by 0 other vulnerabilities. 11.0.21 Affected by 0 other vulnerabilities.
VCID-qkx6-32cj-jfbp Aliases: CVE-2022-29885 GHSA-r84p-88g2-2vx2	The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.	9.0.63 Affected by 0 other vulnerabilities. 10.0.21 Affected by 0 other vulnerabilities. 10.1.0-M15 Affected by 0 other vulnerabilities.
VCID-yrzk-1dbk-muhy Aliases: CVE-2026-29146 GHSA-h468-7pvh-8vr8		9.0.116 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.117 Affected by 0 other vulnerabilities. 10.1.53 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.54 Affected by 0 other vulnerabilities. 11.0.20 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.21 Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-10T00:03:27.277170+00:00	Apache Tomcat Importer	Affected by	VCID-yrzk-1dbk-muhy	https://tomcat.apache.org/security-9.html	38.1.0
2026-04-10T00:03:26.988564+00:00	Apache Tomcat Importer	Affected by	VCID-d1fm-vbd1-n7au	https://tomcat.apache.org/security-9.html	38.1.0
2026-04-01T12:38:07.959296+00:00	Apache Tomcat Importer	Affected by	VCID-qkx6-32cj-jfbp	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:07.482522+00:00	Apache Tomcat Importer	Affected by	VCID-3vdn-j7sj-dfdn	https://tomcat.apache.org/security-9.html	38.0.0