VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat-catalina@8.0.47

Search for packages

Vulnerability	Summary	Fixed by
VCID-8mns-kw6c-a7dk Aliases: CVE-2024-52316 GHSA-xcpr-7mr4-h4xq	Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.	9.0.96 Affected by 0 other vulnerabilities. 10.1.30 Affected by 0 other vulnerabilities. 11.0.1 Affected by 0 other vulnerabilities.
VCID-c12c-fsy1-17ee Aliases: CVE-2016-5388 GHSA-v646-rx6w-r3qq	Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.	8.5.5 Affected by 10 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8mns-kw6c-a7dk
Aliases:
CVE-2024-52316
GHSA-xcpr-7mr4-h4xq

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

9.0.96
Affected by 0 other vulnerabilities.

10.1.30
Affected by 0 other vulnerabilities.

11.0.1
Affected by 0 other vulnerabilities.

VCID-c12c-fsy1-17ee
Aliases:
CVE-2016-5388
GHSA-v646-rx6w-r3qq

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

8.5.5
Affected by 10 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-vdnj-sqmx-e3ep	When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	CVE-2017-12617 GHSA-xjgh-84hx-56c5

Vulnerability

Summary

Aliases

VCID-vdnj-sqmx-e3ep

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

CVE-2017-12617
GHSA-xjgh-84hx-56c5

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:14:53.954458+00:00	GitLab Importer	Affected by	VCID-8mns-kw6c-a7dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2024-52316.yml	38.4.0
2026-04-16T21:48:05.912674+00:00	GitLab Importer	Affected by	VCID-c12c-fsy1-17ee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-5388.yml	38.4.0
2026-04-12T00:33:29.306311+00:00	GitLab Importer	Affected by	VCID-8mns-kw6c-a7dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2024-52316.yml	38.3.0
2026-04-11T23:03:59.306342+00:00	GitLab Importer	Affected by	VCID-c12c-fsy1-17ee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-5388.yml	38.3.0
2026-04-04T14:30:16.120517+00:00	GHSA Importer	Fixing	VCID-vdnj-sqmx-e3ep	https://github.com/advisories/GHSA-xjgh-84hx-56c5	38.1.0
2026-04-03T00:41:12.283026+00:00	GitLab Importer	Affected by	VCID-8mns-kw6c-a7dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2024-52316.yml	38.1.0
2026-04-02T23:12:20.629574+00:00	GitLab Importer	Affected by	VCID-c12c-fsy1-17ee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-5388.yml	38.1.0
2026-04-01T17:32:16.392680+00:00	GitLab Importer	Affected by	VCID-c12c-fsy1-17ee	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-5388.yml	38.0.0
2026-04-01T13:09:48.443767+00:00	GithubOSV Importer	Fixing	VCID-vdnj-sqmx-e3ep	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xjgh-84hx-56c5/GHSA-xjgh-84hx-56c5.json	38.0.0