Search for packages
| purl | pkg:apache/tomcat@9.0.46 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-885s-t4dx-dybv
Aliases: CVE-2021-33037 GHSA-4vww-mc66-62m6 |
Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. |
Affected by 0 other vulnerabilities. Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-kwab-3s4q-eka4 | A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. |
CVE-2021-30640
GHSA-36qh-35cm-5w2w |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T12:38:08.123139+00:00 | Apache Tomcat Importer | Fixing | VCID-kwab-3s4q-eka4 | https://tomcat.apache.org/security-9.html | 38.0.0 |
| 2026-04-01T12:38:08.079850+00:00 | Apache Tomcat Importer | Affected by | VCID-885s-t4dx-dybv | https://tomcat.apache.org/security-9.html | 38.0.0 |