VulnerableCode Package Details - pkg:apache/tomcat@9.0.40

Search for packages

Vulnerability	Summary	Fixed by
VCID-2rmy-13ym-3bgm Aliases: CVE-2026-34483 GHSA-rv64-5gf8-9qq8		9.0.117 Affected by 0 other vulnerabilities. 10.1.54 Affected by 0 other vulnerabilities. 11.0.21 Affected by 0 other vulnerabilities.
VCID-cfhw-vmcp-y3bc Aliases: CVE-2025-55754 GHSA-vfww-5hm6-hx2j	Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.	9.0.109 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 10.1.45 Affected by 0 other vulnerabilities. 11.0.11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-stds-vw5z-auhp Aliases: CVE-2022-45143 GHSA-rq2w-37h9-vg94	The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.	9.0.69 Affected by 0 other vulnerabilities. 10.1.2 Affected by 0 other vulnerabilities.
VCID-wptr-hkjx-s7c3 Aliases: CVE-2021-42340 GHSA-wph7-x527-w3h5	The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.	9.0.54 Affected by 0 other vulnerabilities. 10.0.12 Affected by 0 other vulnerabilities. 10.1.0-M6 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-2rmy-13ym-3bgm
Aliases:
CVE-2026-34483
GHSA-rv64-5gf8-9qq8

9.0.117
Affected by 0 other vulnerabilities.

10.1.54
Affected by 0 other vulnerabilities.

11.0.21
Affected by 0 other vulnerabilities.

VCID-cfhw-vmcp-y3bc
Aliases:
CVE-2025-55754
GHSA-vfww-5hm6-hx2j

Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a specially crafted URL to inject ANSI escape sequences to manipulate the console and the clipboard and attempt to trick an administrator into running an attacker controlled command. While no attack vector was found, it may have been possible to mount this attack on other operating systems. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.10, from 10.1.0-M1 through 10.1.44, from 9.0.40 through 9.0.108. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.60 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.11 or later, 10.1.45 or later or 9.0.109 or later, which fix the issue.

9.0.109
Affected by 1 other vulnerability.

10.1.45
Affected by 0 other vulnerabilities.

11.0.11
Affected by 1 other vulnerability.

VCID-stds-vw5z-auhp
Aliases:
CVE-2022-45143
GHSA-rq2w-37h9-vg94

The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

9.0.69
Affected by 0 other vulnerabilities.

10.1.2
Affected by 0 other vulnerabilities.

VCID-wptr-hkjx-s7c3
Aliases:
CVE-2021-42340
GHSA-wph7-x527-w3h5

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

9.0.54
Affected by 0 other vulnerabilities.

10.0.12
Affected by 0 other vulnerabilities.

10.1.0-M6
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-a8gk-n8bq-87cp	When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.	CVE-2021-24122 GHSA-2rvv-w9r2-rg7m
VCID-ran8-rnqn-tkbc	While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.	CVE-2020-17527 GHSA-vvw4-rfwf-p6hx

Vulnerability

Summary

Aliases

VCID-a8gk-n8bq-87cp

When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.

CVE-2021-24122
GHSA-2rvv-w9r2-rg7m

VCID-ran8-rnqn-tkbc

While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests.

CVE-2020-17527
GHSA-vvw4-rfwf-p6hx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-10T00:03:27.124040+00:00	Apache Tomcat Importer	Affected by	VCID-2rmy-13ym-3bgm	https://tomcat.apache.org/security-9.html	38.1.0
2026-04-01T12:38:08.343292+00:00	Apache Tomcat Importer	Fixing	VCID-ran8-rnqn-tkbc	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:08.316524+00:00	Apache Tomcat Importer	Fixing	VCID-a8gk-n8bq-87cp	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:08.048563+00:00	Apache Tomcat Importer	Affected by	VCID-wptr-hkjx-s7c3	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:07.866674+00:00	Apache Tomcat Importer	Affected by	VCID-stds-vw5z-auhp	https://tomcat.apache.org/security-9.html	38.0.0
2026-04-01T12:38:06.796607+00:00	Apache Tomcat Importer	Affected by	VCID-cfhw-vmcp-y3bc	https://tomcat.apache.org/security-9.html	38.0.0