Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:rpm/redhat/tomcat5@5.5.33-27_patch_07.ep5?arch=el5
purl pkg:rpm/redhat/tomcat5@5.5.33-27_patch_07.ep5?arch=el5
Next non-vulnerable version None.
Latest non-vulnerable version None.
Risk 10.0
Vulnerabilities affecting this package (9)
Vulnerability Summary Fixed by
VCID-1v6c-f56v-hqh1
Aliases:
CVE-2011-5062
GHSA-4f7h-9j2x-cmr4
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. There are no reported fixed by versions.
VCID-241m-q6vd-kudk
Aliases:
CVE-2011-2526
GHSA-9ggm-7897-x4mg
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application. There are no reported fixed by versions.
VCID-8ebv-6941-jqdy
Aliases:
CVE-2011-5063
GHSA-hffm-fqv4-w27r
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. There are no reported fixed by versions.
VCID-d9ys-kxh6-nkgr
Aliases:
CVE-2011-1184
GHSA-q9xf-jwr4-v445
The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. There are no reported fixed by versions.
VCID-egye-da2v-4ybh
Aliases:
CVE-2011-5064
GHSA-6cr4-7c7p-p3xv
Use of Hard-coded Cryptographic Key in Apache Tomcat DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. There are no reported fixed by versions.
VCID-hhk9-cr54-8fgc
Aliases:
CVE-2012-0022
GHSA-8h2q-qm9x-55jc
Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858. There are no reported fixed by versions.
VCID-mctd-9zgv-5qgp
Aliases:
CVE-2011-2204
GHSA-c57p-3v2g-w9rg
Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. There are no reported fixed by versions.
VCID-quwu-ep21-cyew
Aliases:
CVE-2011-3190
GHSA-c38m-v4m2-524v
Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. There are no reported fixed by versions.
VCID-zbbr-wded-9ffj
Aliases:
CVE-2011-4858
GHSA-wr3m-gw98-mc3j
Improper Input Validation in Apache Tomcat Apache Tomcat before 5.5.35, 6.x before 6.0.35, and 7.x before 7.0.23 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters. There are no reported fixed by versions.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T14:56:31.627860+00:00 RedHat Importer Affected by VCID-mctd-9zgv-5qgp https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2204.json 38.0.0
2026-04-01T14:56:30.957958+00:00 RedHat Importer Affected by VCID-241m-q6vd-kudk https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-2526.json 38.0.0
2026-04-01T14:56:24.651346+00:00 RedHat Importer Affected by VCID-quwu-ep21-cyew https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-3190.json 38.0.0
2026-04-01T14:56:20.253767+00:00 RedHat Importer Affected by VCID-egye-da2v-4ybh https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-5064.json 38.0.0
2026-04-01T14:56:20.102631+00:00 RedHat Importer Affected by VCID-8ebv-6941-jqdy https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-5063.json 38.0.0
2026-04-01T14:56:19.956169+00:00 RedHat Importer Affected by VCID-1v6c-f56v-hqh1 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-5062.json 38.0.0
2026-04-01T14:56:19.825917+00:00 RedHat Importer Affected by VCID-d9ys-kxh6-nkgr https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-1184.json 38.0.0
2026-04-01T14:56:07.884933+00:00 RedHat Importer Affected by VCID-zbbr-wded-9ffj https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-4858.json 38.0.0
2026-04-01T14:55:58.601047+00:00 RedHat Importer Affected by VCID-hhk9-cr54-8fgc https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-0022.json 38.0.0