VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat-catalina@9.0.0.M13

Search for packages

Vulnerability	Summary	Fixed by
VCID-8mns-kw6c-a7dk Aliases: CVE-2024-52316 GHSA-xcpr-7mr4-h4xq	Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.	9.0.96 Affected by 0 other vulnerabilities. 10.1.30 Affected by 0 other vulnerabilities. 11.0.1 Affected by 0 other vulnerabilities.
VCID-enaj-f97c-jbh7 Aliases: CVE-2017-7674 GHSA-73rx-3f9r-x949	The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.	9.0.0.M22 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-hves-r5bg-yfes Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq	A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.	9.0.0.M14 Affected by 0 other vulnerabilities. 9.0.0.M15 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-8mns-kw6c-a7dk
Aliases:
CVE-2024-52316
GHSA-xcpr-7mr4-h4xq

Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.

9.0.96
Affected by 0 other vulnerabilities.

10.1.30
Affected by 0 other vulnerabilities.

11.0.1
Affected by 0 other vulnerabilities.

VCID-enaj-f97c-jbh7
Aliases:
CVE-2017-7674
GHSA-73rx-3f9r-x949

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

9.0.0.M22
Affected by 1 other vulnerability.

VCID-hves-r5bg-yfes
Aliases:
CVE-2016-8745
GHSA-w3j5-q8f2-3cqq

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

9.0.0.M14
Affected by 0 other vulnerabilities.

9.0.0.M15
Affected by 2 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-95d1-arxd-hkd1	Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.	CVE-2016-8735 GHSA-cw54-59pw-4g8c

Vulnerability

Summary

Aliases

VCID-95d1-arxd-hkd1

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVE-2016-8735
GHSA-cw54-59pw-4g8c

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T23:14:54.287944+00:00	GitLab Importer	Affected by	VCID-8mns-kw6c-a7dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2024-52316.yml	38.4.0
2026-04-16T21:52:10.140705+00:00	GitLab Importer	Affected by	VCID-hves-r5bg-yfes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8745.yml	38.4.0
2026-04-16T21:48:18.395425+00:00	GitLab Importer	Fixing	VCID-95d1-arxd-hkd1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8735.yml	38.4.0
2026-04-16T20:37:45.296143+00:00	GitLab Importer	Affected by	VCID-enaj-f97c-jbh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2017-7674.yml	38.4.0
2026-04-12T00:33:29.686355+00:00	GitLab Importer	Affected by	VCID-8mns-kw6c-a7dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2024-52316.yml	38.3.0
2026-04-11T23:07:58.294518+00:00	GitLab Importer	Affected by	VCID-hves-r5bg-yfes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8745.yml	38.3.0
2026-04-11T23:04:11.860678+00:00	GitLab Importer	Fixing	VCID-95d1-arxd-hkd1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8735.yml	38.3.0
2026-04-11T21:48:23.405910+00:00	GitLab Importer	Affected by	VCID-enaj-f97c-jbh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2017-7674.yml	38.3.0
2026-04-03T00:41:12.662352+00:00	GitLab Importer	Affected by	VCID-8mns-kw6c-a7dk	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2024-52316.yml	38.1.0
2026-04-02T23:16:25.394369+00:00	GitLab Importer	Affected by	VCID-hves-r5bg-yfes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8745.yml	38.1.0
2026-04-02T23:12:33.444734+00:00	GitLab Importer	Fixing	VCID-95d1-arxd-hkd1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8735.yml	38.1.0
2026-04-02T22:02:18.362137+00:00	GitLab Importer	Affected by	VCID-enaj-f97c-jbh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2017-7674.yml	38.1.0
2026-04-01T17:32:29.096337+00:00	GitLab Importer	Fixing	VCID-95d1-arxd-hkd1	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8735.yml	38.0.0
2026-04-01T16:19:26.355690+00:00	GitLab Importer	Affected by	VCID-enaj-f97c-jbh7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2017-7674.yml	38.0.0
2026-04-01T12:50:39.788299+00:00	GitLab Importer	Affected by	VCID-hves-r5bg-yfes	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat-catalina/CVE-2016-8745.yml	38.0.0