Search for packages
| purl | pkg:apache/tomcat@9.0.28 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-rq42-qvsy-hue6
Aliases: CVE-2019-17569 GHSA-767j-jfh2-jvrc |
The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99 introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. |
Affected by 0 other vulnerabilities. |
|
VCID-ruuh-g3fa-m7d8
Aliases: CVE-2019-12418 GHSA-hh3j-x4mc-g48r |
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:08.658663+00:00 | Apache Tomcat Importer | Affected by | VCID-ruuh-g3fa-m7d8 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.598706+00:00 | Apache Tomcat Importer | Affected by | VCID-rq42-qvsy-hue6 | https://tomcat.apache.org/security-9.html | 38.0.0 |