VulnerableCode Package Details - pkg:ebuild/www-servers/tomcat@9.0.65

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-885s-t4dx-dybv	Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.	CVE-2021-33037 GHSA-4vww-mc66-62m6
VCID-dtvw-92bk-wbcf	A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.	CVE-2021-30639 GHSA-44qp-qhfv-c7f6
VCID-kwab-3s4q-eka4	A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.	CVE-2021-30640 GHSA-36qh-35cm-5w2w
VCID-n3ab-nk7c-hqc9	The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.	CVE-2021-25329 GHSA-jgwr-3qm3-26f3
VCID-p8q2-pt96-5ye8	In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.	CVE-2022-34305 GHSA-6j88-6whg-x687
VCID-t2ne-75ck-eqcr	When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.	CVE-2021-25122 GHSA-j39c-c8hj-x4j3
VCID-wptr-hkjx-s7c3	The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.	CVE-2021-42340 GHSA-wph7-x527-w3h5

Vulnerability

Summary

Aliases

VCID-885s-t4dx-dybv

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

CVE-2021-33037
GHSA-4vww-mc66-62m6

VCID-dtvw-92bk-wbcf

A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64.

CVE-2021-30639
GHSA-44qp-qhfv-c7f6

VCID-kwab-3s4q-eka4

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

CVE-2021-30640
GHSA-36qh-35cm-5w2w

VCID-n3ab-nk7c-hqc9

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.

CVE-2021-25329
GHSA-jgwr-3qm3-26f3

VCID-p8q2-pt96-5ye8

In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability.

CVE-2022-34305
GHSA-6j88-6whg-x687

VCID-t2ne-75ck-eqcr

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.

CVE-2021-25122
GHSA-j39c-c8hj-x4j3

VCID-wptr-hkjx-s7c3

The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.

CVE-2021-42340
GHSA-wph7-x527-w3h5

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:02:40.138100+00:00	Gentoo Importer	Fixing	VCID-p8q2-pt96-5ye8	https://security.gentoo.org/glsa/202208-34	38.0.0
2026-04-01T13:02:40.119322+00:00	Gentoo Importer	Fixing	VCID-wptr-hkjx-s7c3	https://security.gentoo.org/glsa/202208-34	38.0.0
2026-04-01T13:02:40.095031+00:00	Gentoo Importer	Fixing	VCID-885s-t4dx-dybv	https://security.gentoo.org/glsa/202208-34	38.0.0
2026-04-01T13:02:40.074541+00:00	Gentoo Importer	Fixing	VCID-kwab-3s4q-eka4	https://security.gentoo.org/glsa/202208-34	38.0.0
2026-04-01T13:02:40.055995+00:00	Gentoo Importer	Fixing	VCID-dtvw-92bk-wbcf	https://security.gentoo.org/glsa/202208-34	38.0.0
2026-04-01T13:02:40.039784+00:00	Gentoo Importer	Fixing	VCID-n3ab-nk7c-hqc9	https://security.gentoo.org/glsa/202208-34	38.0.0
2026-04-01T13:02:40.023157+00:00	Gentoo Importer	Fixing	VCID-t2ne-75ck-eqcr	https://security.gentoo.org/glsa/202208-34	38.0.0