Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat@8.0.0 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-18q4-zark-s7a7
Aliases: CVE-2016-6794 GHSA-2rvf-329f-p99g |
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. |
Affected by 12 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-2sbh-sy57-3uez
Aliases: CVE-2018-1304 GHSA-6rxj-58jh-436r |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. |
Affected by 5 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-4mkw-7haq-pkgn
Aliases: CVE-2014-0230 GHSA-pxcx-cxq8-4mmw |
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts. |
Affected by 22 other vulnerabilities. |
|
VCID-7cpu-h5fr-8ffd
Aliases: CVE-2014-7810 GHSA-4c43-cwvx-9crh |
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. |
Affected by 0 other vulnerabilities. Affected by 21 other vulnerabilities. |
|
VCID-95d1-arxd-hkd1
Aliases: CVE-2016-8735 GHSA-cw54-59pw-4g8c |
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types. |
Affected by 11 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-9exq-fhv6-bbea
Aliases: CVE-2016-0763 GHSA-9hjv-9h75-xmpp |
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. |
Affected by 16 other vulnerabilities. Affected by 18 other vulnerabilities. |
|
VCID-a1by-zvtm-akdc
Aliases: CVE-2014-0227 GHSA-42j3-498q-m6vp |
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding. |
Affected by 22 other vulnerabilities. |
|
VCID-aeeu-fpay-wufz
Aliases: CVE-2018-1336 GHSA-m59c-jpc8-m2x4 |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. |
Affected by 4 other vulnerabilities. Affected by 23 other vulnerabilities. Affected by 23 other vulnerabilities. |
|
VCID-fyfz-6tr5-2fc7
Aliases: CVE-2017-5664 GHSA-jmvv-524f-hj5j |
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. |
Affected by 7 other vulnerabilities. Affected by 27 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-g7bk-891a-uufy
Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5 |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. |
Affected by 5 other vulnerabilities. Affected by 24 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-h9ds-trhx-m7aj
Aliases: CVE-2013-4286 GHSA-j448-j653-r3vj |
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. | There are no reported fixed by versions. |
|
VCID-hmbm-5ysw-77bu
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. |
Affected by 9 other vulnerabilities. Affected by 32 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
VCID-jf7u-dvpd-b7f4
Aliases: CVE-2014-0119 GHSA-prc3-7f44-w48j |
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application. |
Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-kgd1-bzst-muh7
Aliases: CVE-2014-0096 GHSA-qprx-q2r7-3rx6 |
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. |
Affected by 27 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. |
|
VCID-kzzv-rhya-j7dd
Aliases: CVE-2014-0075 GHSA-475f-74wp-pqv5 |
Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data. |
Affected by 0 other vulnerabilities. Affected by 27 other vulnerabilities. |
|
VCID-m1zd-uytj-3bej
Aliases: CVE-2017-5647 GHSA-3gv7-3h64-78cm |
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. |
Affected by 9 other vulnerabilities. Affected by 8 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
VCID-m2zn-ja8d-7kg8
Aliases: CVE-2018-8034 GHSA-46j3-r4pj-4835 |
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. |
Affected by 1 other vulnerability. Affected by 20 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-n3zn-tuck-gkfe
Aliases: CVE-2018-8014 GHSA-r4x2-3cq5-hqvp |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. |
Affected by 1 other vulnerability. Affected by 20 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-vhjj-dnft-kkf4
Aliases: CVE-2015-5351 GHSA-w7cg-5969-678w |
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. |
Affected by 0 other vulnerabilities. Affected by 16 other vulnerabilities. Affected by 1 other vulnerability. Affected by 18 other vulnerabilities. |
|
VCID-xf8r-kqxb-7qdy
Aliases: CVE-2016-6797 GHSA-q6x7-f33r-3wxx |
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. |
Affected by 12 other vulnerabilities. Affected by 33 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
VCID-yfx4-4gsc-2kgh
Aliases: CVE-2020-1935 GHSA-qxf4-chvg-4r8r |
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. |
Affected by 13 other vulnerabilities. Affected by 12 other vulnerabilities. |
|
VCID-ygvw-69am-s7ae
Aliases: CVE-2014-0099 GHSA-xh5x-j8jf-pcpx |
Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. |
Affected by 27 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 24 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||