VulnerableCode Package Details - pkg:deb/debian/tomcat9@9.0.43-2?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-885s-t4dx-dybv	Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.	CVE-2021-33037 GHSA-4vww-mc66-62m6
VCID-kwab-3s4q-eka4	A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.	CVE-2021-30640 GHSA-36qh-35cm-5w2w

Vulnerability

Summary

Aliases

VCID-885s-t4dx-dybv

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

CVE-2021-33037
GHSA-4vww-mc66-62m6

VCID-kwab-3s4q-eka4

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

CVE-2021-30640
GHSA-36qh-35cm-5w2w

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:29:33.186508+00:00	Debian Importer	Fixing	VCID-885s-t4dx-dybv	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:01:24.049394+00:00	Debian Importer	Fixing	VCID-kwab-3s4q-eka4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:49:55.683901+00:00	Debian Importer	Fixing	VCID-885s-t4dx-dybv	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:28:58.257771+00:00	Debian Importer	Fixing	VCID-kwab-3s4q-eka4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:55:24.970336+00:00	Debian Importer	Fixing	VCID-885s-t4dx-dybv	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:55:24.914269+00:00	Debian Importer	Fixing	VCID-kwab-3s4q-eka4	https://security-tracker.debian.org/tracker/data/json	38.1.0