VulnerableCode Package Details - pkg:ebuild/www-servers/tomcat@6.0.16

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7pd9-1r19-73fe	Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.	CVE-2007-6286 GHSA-qrj4-rmqg-4hcp
VCID-88v7-kc2y-bfd7	Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.	CVE-2007-5461 GHSA-v5p2-vg3c-pmrr
VCID-hhkg-mfp5-2kax	The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.	CVE-2007-5342 GHSA-w65j-cmqc-37p2
VCID-t9y6-suc2-2kcg	Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception.	CVE-2008-0002 GHSA-5x5f-9r6q-q7mh
VCID-v94p-bxm3-akfd	Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.	CVE-2007-5333 GHSA-cww4-vj5r-rx57

Vulnerability

Summary

Aliases

VCID-7pd9-1r19-73fe

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of "a duplicate copy of one of the recent requests," as demonstrated by using netcat to send the empty request.

CVE-2007-6286
GHSA-qrj4-rmqg-4hcp

VCID-88v7-kc2y-bfd7

Absolute path traversal vulnerability in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0, 5.0.0, 5.5.0 through 5.5.25, and 6.0.0 through 6.0.14, under certain configurations, allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag.

CVE-2007-5461
GHSA-v5p2-vg3c-pmrr

VCID-hhkg-mfp5-2kax

The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.

CVE-2007-5342
GHSA-w65j-cmqc-37p2

VCID-t9y6-suc2-2kcg

Apache Tomcat 6.0.0 through 6.0.15 processes parameters in the context of the wrong request when an exception occurs during parameter processing, which might allow remote attackers to obtain sensitive information, as demonstrated by disconnecting during this processing in order to trigger the exception.

CVE-2008-0002
GHSA-5x5f-9r6q-q7mh

VCID-v94p-bxm3-akfd

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.

CVE-2007-5333
GHSA-cww4-vj5r-rx57

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T12:58:32.249764+00:00	Gentoo Importer	Fixing	VCID-t9y6-suc2-2kcg	https://security.gentoo.org/glsa/200804-10	38.0.0
2026-04-01T12:58:32.239922+00:00	Gentoo Importer	Fixing	VCID-7pd9-1r19-73fe	https://security.gentoo.org/glsa/200804-10	38.0.0
2026-04-01T12:58:32.230230+00:00	Gentoo Importer	Fixing	VCID-88v7-kc2y-bfd7	https://security.gentoo.org/glsa/200804-10	38.0.0
2026-04-01T12:58:32.220016+00:00	Gentoo Importer	Fixing	VCID-hhkg-mfp5-2kax	https://security.gentoo.org/glsa/200804-10	38.0.0
2026-04-01T12:58:32.209118+00:00	Gentoo Importer	Fixing	VCID-v94p-bxm3-akfd	https://security.gentoo.org/glsa/200804-10	38.0.0