Search for packages
| purl | pkg:rpm/redhat/tomcat@7.0.76-12?arch=el7_7 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-dzpn-w4b3-vbcm
Aliases: CVE-2019-17563 GHSA-9xcj-c8cr-8c3c |
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability. | There are no reported fixed by versions. |
|
VCID-yfx4-4gsc-2kgh
Aliases: CVE-2020-1935 GHSA-qxf4-chvg-4r8r |
In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T14:14:34.891476+00:00 | RedHat Importer | Affected by | VCID-dzpn-w4b3-vbcm | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-17563.json | 38.0.0 |
| 2026-04-01T14:12:14.420139+00:00 | RedHat Importer | Affected by | VCID-yfx4-4gsc-2kgh | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1935.json | 38.0.0 |