Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.apache.tomcat/tomcat@4.1.39
purl pkg:maven/org.apache.tomcat/tomcat@4.1.39
Tags Ghost
Next non-vulnerable version 9.0.117
Latest non-vulnerable version 11.0.21
Risk 10.0
Vulnerabilities affecting this package (5)
Vulnerability Summary Fixed by
VCID-4rcx-xfn5-7kdb
Aliases:
CVE-2009-0580
GHSA-w227-xcfx-3pj8
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.
4.1.40
Affected by 1 other vulnerability.
5.5.28
Affected by 4 other vulnerabilities.
6.0.19
Affected by 0 other vulnerabilities.
6.0.20
Affected by 4 other vulnerabilities.
VCID-bung-pa58-ayfv
Aliases:
CVE-2009-0781
GHSA-j788-fx57-99wp
Cross-site scripting (XSS) vulnerability in jsp/cal/cal2.jsp in the calendar application in the examples web application in Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 allows remote attackers to inject arbitrary web script or HTML via the time parameter, related to "invalid HTML."
4.1.40
Affected by 1 other vulnerability.
5.5.28
Affected by 4 other vulnerabilities.
6.0.20
Affected by 4 other vulnerabilities.
VCID-dcrp-rae1-zfcm
Aliases:
CVE-2009-0033
GHSA-5cw4-ggx9-36vg
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.
4.1.40
Affected by 1 other vulnerability.
5.5.28
Affected by 4 other vulnerabilities.
6.0.20
Affected by 4 other vulnerabilities.
VCID-mnf8-t3ew-4fgb
Aliases:
CVE-2008-5515
GHSA-9737-qmgc-hfr9
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.
4.1.40
Affected by 1 other vulnerability.
5.5.28
Affected by 4 other vulnerabilities.
6.0.20
Affected by 4 other vulnerabilities.
VCID-r84b-7ay9-ekcm
Aliases:
CVE-2009-0783
GHSA-hhjg-g8xq-hhr3
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.
4.1.40
Affected by 1 other vulnerability.
5.5.28
Affected by 4 other vulnerabilities.
6.0.20
Affected by 4 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:00:37.281585+00:00 GHSA Importer Affected by VCID-r84b-7ay9-ekcm https://github.com/advisories/GHSA-hhjg-g8xq-hhr3 38.0.0
2026-04-01T16:00:36.944241+00:00 GHSA Importer Affected by VCID-bung-pa58-ayfv https://github.com/advisories/GHSA-j788-fx57-99wp 38.0.0
2026-04-01T16:00:36.180281+00:00 GHSA Importer Affected by VCID-dcrp-rae1-zfcm https://github.com/advisories/GHSA-5cw4-ggx9-36vg 38.0.0
2026-04-01T16:00:35.069954+00:00 GHSA Importer Fixing VCID-rwvj-tq6x-2ubs https://github.com/advisories/GHSA-m7xj-ccqc-p4g2 38.0.0
2026-04-01T13:08:33.619465+00:00 GithubOSV Importer Fixing VCID-rwvj-tq6x-2ubs https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m7xj-ccqc-p4g2/GHSA-m7xj-ccqc-p4g2.json 38.0.0
2026-04-01T12:50:01.280352+00:00 GitLab Importer Affected by VCID-dcrp-rae1-zfcm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2009-0033.yml 38.0.0
2026-04-01T12:50:00.776937+00:00 GitLab Importer Affected by VCID-bung-pa58-ayfv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2009-0781.yml 38.0.0
2026-04-01T12:50:00.055162+00:00 GitLab Importer Affected by VCID-r84b-7ay9-ekcm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2009-0783.yml 38.0.0
2026-04-01T12:38:19.775488+00:00 Apache Tomcat Importer Fixing VCID-acmu-9eqb-fya5 https://tomcat.apache.org/security-4.html 38.0.0
2026-04-01T12:38:19.747125+00:00 Apache Tomcat Importer Fixing VCID-a9cu-fxqw-xkdg https://tomcat.apache.org/security-4.html 38.0.0
2026-04-01T12:38:19.719172+00:00 Apache Tomcat Importer Fixing VCID-qdck-q54n-rkcv https://tomcat.apache.org/security-4.html 38.0.0
2026-04-01T12:38:19.686209+00:00 Apache Tomcat Importer Affected by VCID-r84b-7ay9-ekcm https://tomcat.apache.org/security-4.html 38.0.0
2026-04-01T12:38:19.656363+00:00 Apache Tomcat Importer Affected by VCID-bung-pa58-ayfv https://tomcat.apache.org/security-4.html 38.0.0
2026-04-01T12:38:19.627665+00:00 Apache Tomcat Importer Affected by VCID-4rcx-xfn5-7kdb https://tomcat.apache.org/security-4.html 38.0.0
2026-04-01T12:38:19.599232+00:00 Apache Tomcat Importer Affected by VCID-dcrp-rae1-zfcm https://tomcat.apache.org/security-4.html 38.0.0
2026-04-01T12:38:19.571418+00:00 Apache Tomcat Importer Affected by VCID-mnf8-t3ew-4fgb https://tomcat.apache.org/security-4.html 38.0.0