Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/tomcat5@5.5.23-0jpp_4rh?arch=4
purl pkg:rpm/redhat/tomcat5@5.5.23-0jpp_4rh?arch=4
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 10.0
Vulnerabilities affecting this package (6)
Vulnerability Summary Fixed by
VCID-6p3e-4u8s-17ep
Aliases:
CVE-2007-3385
GHSA-6j8f-66vh-39mj
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. There are no reported fixed by versions.
VCID-7969-7a8h-zyhh
Aliases:
CVE-2007-3382
GHSA-qff8-g48j-pwpw
Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to 4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies, which might cause sensitive information such as session IDs to be leaked and allow remote attackers to conduct session hijacking attacks. There are no reported fixed by versions.
VCID-peya-mr7j-vugf
Aliases:
CVE-2007-2449
GHSA-hc39-rjwp-qffq
Multiple cross-site scripting (XSS) vulnerabilities in certain JSP files in the examples web application in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote attackers to inject arbitrary web script or HTML via the portion of the URI after the ';' character, as demonstrated by a URI containing a "snp/snoop.jsp;" sequence. There are no reported fixed by versions.
VCID-qxkf-4ddv-j3b7
Aliases:
CVE-2007-1358
GHSA-xmc9-6p56-3c4v
Cross-site scripting (XSS) vulnerability in certain applications using Apache Tomcat 4.0.0 through 4.0.6 and 4.1.0 through 4.1.34 allows remote attackers to inject arbitrary web script or HTML via crafted "Accept-Language headers that do not conform to RFC 2616". There are no reported fixed by versions.
VCID-su1y-2bxh-9qe2
Aliases:
CVE-2007-3386
Cross-site scripting (XSS) vulnerability in the Host Manager Servlet for Apache Tomcat 6.0.0 to 6.0.13 and 5.5.0 to 5.5.24 allows remote attackers to inject arbitrary HTML and web script via crafted requests, as demonstrated using the aliases parameter to an html/add action. There are no reported fixed by versions.
VCID-tcju-3rvu-wkht
Aliases:
CVE-2007-2450
GHSA-5c5p-jxvx-x7j2
Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:59:47.351816+00:00 RedHat Importer Affected by VCID-qxkf-4ddv-j3b7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-1358.json 38.0.0
2026-04-01T14:59:46.223481+00:00 RedHat Importer Affected by VCID-tcju-3rvu-wkht https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-2450.json 38.0.0
2026-04-01T14:59:45.881644+00:00 RedHat Importer Affected by VCID-peya-mr7j-vugf https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-2449.json 38.0.0
2026-04-01T14:59:39.771535+00:00 RedHat Importer Affected by VCID-su1y-2bxh-9qe2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-3386.json 38.0.0
2026-04-01T14:59:39.240281+00:00 RedHat Importer Affected by VCID-6p3e-4u8s-17ep https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-3385.json 38.0.0
2026-04-01T14:59:38.335570+00:00 RedHat Importer Affected by VCID-7969-7a8h-zyhh https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2007-3382.json 38.0.0