Search for packages
| purl | pkg:rpm/redhat/tomcat@7.0.54-8?arch=el7_2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7cpu-h5fr-8ffd
Aliases: CVE-2014-7810 GHSA-4c43-cwvx-9crh |
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. | There are no reported fixed by versions. |
|
VCID-c12c-fsy1-17ee
Aliases: CVE-2016-5388 GHSA-v646-rx6w-r3qq |
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. | There are no reported fixed by versions. |
|
VCID-kyb8-rvyw-s7b1
Aliases: CVE-2015-5346 GHSA-jrcp-c39h-r29x |
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. | There are no reported fixed by versions. |
|
VCID-msy8-g5w8-afbd
Aliases: CVE-2016-6325 |
tomcat: tomcat writable config files allow privilege escalation | There are no reported fixed by versions. |
|
VCID-ph7z-4q8j-kqbf
Aliases: CVE-2016-5425 |
tomcat: Local privilege escalation via systemd-tmpfiles service | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T14:41:06.738984+00:00 | RedHat Importer | Affected by | VCID-7cpu-h5fr-8ffd | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-7810.json | 38.0.0 |
| 2026-04-01T14:37:51.083741+00:00 | RedHat Importer | Affected by | VCID-kyb8-rvyw-s7b1 | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-5346.json | 38.0.0 |
| 2026-04-01T14:35:54.473364+00:00 | RedHat Importer | Affected by | VCID-c12c-fsy1-17ee | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5388.json | 38.0.0 |
| 2026-04-01T14:34:16.240829+00:00 | RedHat Importer | Affected by | VCID-msy8-g5w8-afbd | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-6325.json | 38.0.0 |
| 2026-04-01T14:34:16.206754+00:00 | RedHat Importer | Affected by | VCID-ph7z-4q8j-kqbf | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2016-5425.json | 38.0.0 |