VulnerableCode Package Details - pkg:rpm/redhat/tomcat@7.0.76-3?arch=el7

Search for packages

Vulnerability	Summary	Fixed by
VCID-enaj-f97c-jbh7 Aliases: CVE-2017-7674 GHSA-73rx-3f9r-x949	The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.	There are no reported fixed by versions.
VCID-m1zd-uytj-3bej Aliases: CVE-2017-5647 GHSA-3gv7-3h64-78cm	A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.	There are no reported fixed by versions.
VCID-q6hm-mmfs-zka5 Aliases: CVE-2017-12615 GHSA-pjfr-qf3p-3q25	When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.
VCID-vdnj-sqmx-e3ep Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-enaj-f97c-jbh7
Aliases:
CVE-2017-7674
GHSA-73rx-3f9r-x949

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

There are no reported fixed by versions.

VCID-m1zd-uytj-3bej
Aliases:
CVE-2017-5647
GHSA-3gv7-3h64-78cm

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

There are no reported fixed by versions.

VCID-q6hm-mmfs-zka5
Aliases:
CVE-2017-12615
GHSA-pjfr-qf3p-3q25

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

There are no reported fixed by versions.

VCID-vdnj-sqmx-e3ep
Aliases:
CVE-2017-12617
GHSA-xjgh-84hx-56c5

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T14:31:12.291255+00:00	RedHat Importer	Affected by	VCID-m1zd-uytj-3bej	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-5647.json	38.0.0
2026-04-01T14:29:12.545499+00:00	RedHat Importer	Affected by	VCID-enaj-f97c-jbh7	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-7674.json	38.0.0
2026-04-01T14:28:42.716908+00:00	RedHat Importer	Affected by	VCID-q6hm-mmfs-zka5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12615.json	38.0.0
2026-04-01T14:28:41.371229+00:00	RedHat Importer	Affected by	VCID-vdnj-sqmx-e3ep	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2017-12617.json	38.0.0