Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.apache.tomcat/tomcat@8.5.98
purl pkg:maven/org.apache.tomcat/tomcat@8.5.98
Next non-vulnerable version 9.0.117
Latest non-vulnerable version 11.0.21
Risk 4.0
Vulnerabilities affecting this package (3)
Vulnerability Summary Fixed by
VCID-g7bk-891a-uufy
Aliases:
CVE-2018-1305
GHSA-jx6h-3fjx-cgv5
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
9.0.5
Affected by 24 other vulnerabilities.
VCID-p6pa-f1fg-hbhg
Aliases:
CVE-2024-23672
GHSA-v682-8vv8-vpwr
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
8.5.99
Affected by 1 other vulnerability.
9.0.86
Affected by 1 other vulnerability.
10.1.19
Affected by 1 other vulnerability.
11.0.0-M17
Affected by 1 other vulnerability.
VCID-vsdf-4tfj-uybe
Aliases:
CVE-2024-24549
GHSA-7w75-32cg-r6g2
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
8.5.99
Affected by 1 other vulnerability.
9.0.86
Affected by 1 other vulnerability.
10.1.19
Affected by 1 other vulnerability.
11.0.0-M17
Affected by 1 other vulnerability.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-16T20:41:45.756124+00:00 GitLab Importer Affected by VCID-g7bk-891a-uufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml 38.4.0
2026-04-11T21:52:21.667656+00:00 GitLab Importer Affected by VCID-g7bk-891a-uufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml 38.3.0
2026-04-02T22:06:08.523701+00:00 GitLab Importer Affected by VCID-g7bk-891a-uufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml 38.1.0
2026-04-01T16:23:07.251201+00:00 GitLab Importer Affected by VCID-g7bk-891a-uufy https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.apache.tomcat/tomcat/CVE-2018-1305.yml 38.0.0
2026-04-01T12:38:09.982519+00:00 Apache Tomcat Importer Affected by VCID-vsdf-4tfj-uybe https://tomcat.apache.org/security-8.html 38.0.0
2026-04-01T12:38:09.950945+00:00 Apache Tomcat Importer Affected by VCID-p6pa-f1fg-hbhg https://tomcat.apache.org/security-8.html 38.0.0