VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat@8.5.90

Search for packages

Vulnerability	Summary	Fixed by
VCID-6kcx-vptm-zbds Aliases: CVE-2023-42794 GHSA-jm7m-8jh6-29hp	Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.	8.5.94 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 9.0.81 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-b3bb-9ajg-sfc9 Aliases: CVE-2023-46589 GHSA-fccv-jmmp-qg76	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.	8.5.96 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.0.83 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.16 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M11 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.1 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-g7bk-891a-uufy Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5	Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.	9.0.5 Affected by 24 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-6kcx-vptm-zbds
Aliases:
CVE-2023-42794
GHSA-jm7m-8jh6-29hp

Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Other, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.

8.5.94
Affected by 2 other vulnerabilities.

9.0.81
Affected by 1 other vulnerability.

VCID-b3bb-9ajg-sfc9
Aliases:
CVE-2023-46589
GHSA-fccv-jmmp-qg76

Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.

8.5.96
Affected by 1 other vulnerability.

9.0.83
Affected by 2 other vulnerabilities.

10.1.16
Affected by 1 other vulnerability.

11.0.0-M11
Affected by 4 other vulnerabilities.

11.0.1
Affected by 4 other vulnerabilities.

VCID-g7bk-891a-uufy
Aliases:
CVE-2018-1305
GHSA-jx6h-3fjx-cgv5

Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.

9.0.5
Affected by 24 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T22:44:12.409470+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml	38.4.0
2026-04-16T22:40:23.580125+00:00	GitLab Importer	Affected by	VCID-6kcx-vptm-zbds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-42794.yml	38.4.0
2026-04-16T20:41:45.729957+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.4.0
2026-04-12T00:03:49.355396+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml	38.3.0
2026-04-11T23:59:50.993760+00:00	GitLab Importer	Affected by	VCID-6kcx-vptm-zbds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-42794.yml	38.3.0
2026-04-11T21:52:21.637330+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.3.0
2026-04-03T00:08:30.000314+00:00	GitLab Importer	Affected by	VCID-b3bb-9ajg-sfc9	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-46589.yml	38.1.0
2026-04-03T00:02:54.562079+00:00	GitLab Importer	Affected by	VCID-6kcx-vptm-zbds	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2023-42794.yml	38.1.0
2026-04-02T22:06:08.496005+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.1.0
2026-04-01T16:23:07.217791+00:00	GitLab Importer	Affected by	VCID-g7bk-891a-uufy	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml	38.0.0