Search for packages
| purl | pkg:ebuild/www-servers/tomcat@8.0.36 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
| This package is not known to be affected by vulnerabilities. | ||
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-1hdb-24e3-f3d6 | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. |
CVE-2017-5651
GHSA-9hg2-395j-83rm |
| VCID-1k8f-vsg1-k3d6 | Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. |
CVE-2016-0706
GHSA-6vx3-hr43-cfrh |
| VCID-68fk-4g86-ekbp | The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. |
CVE-2015-5345
GHSA-rh8q-vjgf-gf74 |
| VCID-9exq-fhv6-bbea | The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. |
CVE-2016-0763
GHSA-9hjv-9h75-xmpp |
| VCID-bk88-51w4-mfcn | Multiple vulnerabilities have been found in Apache Tomcat, the worst of which could lead to privilege escalation. |
CVE-2016-1240
|
| VCID-hmbm-5ysw-77bu | While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. |
CVE-2017-5648
GHSA-3vx3-xf6q-r5xp |
| VCID-hves-r5bg-yfes | A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. |
CVE-2016-8745
GHSA-w3j5-q8f2-3cqq |
| VCID-kyb8-rvyw-s7b1 | Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. |
CVE-2015-5346
GHSA-jrcp-c39h-r29x |
| VCID-m1zd-uytj-3bej | A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. |
CVE-2017-5647
GHSA-3gv7-3h64-78cm |
| VCID-p6ch-pc73-b3ck | Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. |
CVE-2015-5174
GHSA-6qr6-x7jm-x2q6 |
| VCID-pqxe-tfhk-47b7 | The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. |
CVE-2016-3092
GHSA-fvm3-cfvj-gxqq |
| VCID-tfrs-d458-tfaq | The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. |
CVE-2016-0714
GHSA-mv42-px54-87jw |
| VCID-u3ck-cvgt-fuhd | In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. |
CVE-2017-5650
GHSA-9785-w233-x6hv |
| VCID-vhjj-dnft-kkf4 | The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. |
CVE-2015-5351
GHSA-w7cg-5969-678w |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:03:01.545102+00:00 | Gentoo Importer | Fixing | VCID-1hdb-24e3-f3d6 | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.532118+00:00 | Gentoo Importer | Fixing | VCID-u3ck-cvgt-fuhd | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.517820+00:00 | Gentoo Importer | Fixing | VCID-hmbm-5ysw-77bu | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.505199+00:00 | Gentoo Importer | Fixing | VCID-m1zd-uytj-3bej | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.489560+00:00 | Gentoo Importer | Fixing | VCID-hves-r5bg-yfes | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.473477+00:00 | Gentoo Importer | Fixing | VCID-pqxe-tfhk-47b7 | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.460271+00:00 | Gentoo Importer | Fixing | VCID-bk88-51w4-mfcn | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.443316+00:00 | Gentoo Importer | Fixing | VCID-9exq-fhv6-bbea | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.429825+00:00 | Gentoo Importer | Fixing | VCID-tfrs-d458-tfaq | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.414160+00:00 | Gentoo Importer | Fixing | VCID-1k8f-vsg1-k3d6 | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.397358+00:00 | Gentoo Importer | Fixing | VCID-vhjj-dnft-kkf4 | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.382625+00:00 | Gentoo Importer | Fixing | VCID-kyb8-rvyw-s7b1 | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.367827+00:00 | Gentoo Importer | Fixing | VCID-68fk-4g86-ekbp | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |
| 2026-04-01T13:03:01.351888+00:00 | Gentoo Importer | Fixing | VCID-p6ch-pc73-b3ck | https://security.gentoo.org/glsa/201705-09 | 38.0.0 |