{"url":"http://public2.vulnerablecode.io/api/packages/32085?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.86","type":"maven","namespace":"org.apache.tomcat.embed","name":"tomcat-embed-core","version":"7.0.86","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"9.0.107","latest_non_vulnerable_version":"11.0.21","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4462?format=json","vulnerability_id":"VCID-66kh-s6cr-tqf9","summary":"When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=\"null\" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00057.html"},{"reference_url":"http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://packetstormsecurity.com/files/157924/Apache-Tomcat-CVE-2020-9484-Proof-Of-Concept.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9484.json","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-9484.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9484","reference_id":"","reference_type":"","scores":[{"value":"0.93325","scoring_system":"epss","scoring_elements":"0.99809","published_at":"2026-04-13T12:55:00Z"},{"value":"0.93325","scoring_system":"epss","scoring_elements":"0.99808","published_at":"2026-04-09T12:55:00Z"},{"value":"0.93325","scoring_system":"epss","scoring_elements":"0.99806","published_at":"2026-04-02T12:55:00Z"},{"value":"0.93325","scoring_system":"epss","scoring_elements":"0.99807","published_at":"2026-04-04T12:55:00Z"},{"value":"0.93325","scoring_system":"epss","scoring_elements":"0.99811","published_at":"2026-04-16T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-9484"},{"reference_url":"https://bugzilla.suse.com/show_bug.cgi?id=1171928","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1171928"},{"reference_url":"http://seclists.org/fulldisclosure/2020/Jun/6","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://seclists.org/fulldisclosure/2020/Jun/6"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222"},{"reference_url":"https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222.patch","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222.patch"},{"reference_url":"https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453"},{"reference_url":"https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/53e30390943c18fca0c9e57dbcc14f1c623cfd06"},{"reference_url":"https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4"},{"reference_url":"https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5"},{"reference_url":"https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35"},{"reference_url":"https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/bb33048e3f9b4f2b70e4da2e6c4e34ca89023b1b"},{"reference_url":"https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f"},{"reference_url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10332","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://kc.mcafee.com/corporate/index?page=content&id=SB10332"},{"reference_url":"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c@%3Ccommits.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r123b3ebe389f46f9d337923f393cdae4d3e9b78d982d706712f0898c@%3Ccommits.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r26950738f4b4ca2d256597cf391d52d3450fa665c297ea5ca38f5469@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r77eae567ed829da9012cadb29af17f2df8fa23bf66faf88229857bb1%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7bc247fffcb1d58415215c861d2354bd653c86266230d78a93c71ae2@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c@%3Ccommits.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8dd19c514face6dd85fd4eab0271854883f40c7307926c1f7cd5400c@%3Ccommits.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f@%3Ccommits.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raa4123e472175bb052fbba165d37187cea923f755e8f3f30d124cb3f@%3Ccommits.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb1c0fb105ce2b93b7ec6fc1b77dd208022621a91c12d1f580813cfed@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc1778b38e74b5b6142414d57623bd55b023a72361f422836782fca3c@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3@%3Ccommits.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc8473b08abdf3c16494ed817bec1717a0ee0c8080315bc27db5f21c3@%3Ccommits.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119@%3Ccommits.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf59c72572b9fee674a5d5cc6afeca4ffc3918a02c354a81cc50b7119@%3Ccommits.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf70f53af27e04869bdac18b1fc14a3ee529e59eb12292c8791a77926@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00020.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/07/msg00010.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GIQHXENTLYUNOES4LXVNJ2NCUQQRF5VJ"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WJ7XHKWJWDNWXUJH6UB7CLIW4TWOZ26N"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9484","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-9484"},{"reference_url":"https://security.gentoo.org/glsa/202006-21","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202006-21"},{"reference_url":"https://security.netapp.com/advisory/ntap-20200528-0005","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20200528-0005"},{"reference_url":"https://tomcat.apache.org/security-10.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-10.html"},{"reference_url":"https://tomcat.apache.org/security-7.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-7.html"},{"reference_url":"https://tomcat.apache.org/security-8.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-8.html"},{"reference_url":"https://tomcat.apache.org/security-9.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-9.html"},{"reference_url":"https://usn.ubuntu.com/4448-1","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/4448-1"},{"reference_url":"https://usn.ubuntu.com/4596-1","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/4596-1"},{"reference_url":"https://www.debian.org/security/2020/dsa-4727","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4727"},{"reference_url":"https://www.oracle.com/security-alerts/cpuApr2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuApr2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/03/01/2","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/03/01/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1838332","reference_id":"1838332","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1838332"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961209","reference_id":"961209","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961209"},{"reference_url":"https://security.archlinux.org/ASA-202006-7","reference_id":"ASA-202006-7","reference_type":"","scores":[],"url":"https://security.archlinux.org/ASA-202006-7"},{"reference_url":"https://security.archlinux.org/AVG-1171","reference_id":"AVG-1171","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1171"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484","reference_id":"CVE-2020-9484","reference_type":"","scores":[{"value":"High","scoring_system":"apache_tomcat","scoring_elements":""},{"value":"Important","scoring_system":"apache_tomcat","scoring_elements":""},{"value":"Low","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484"},{"reference_url":"https://github.com/advisories/GHSA-344f-f5vg-2jfj","reference_id":"GHSA-344f-f5vg-2jfj","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-344f-f5vg-2jfj"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2483","reference_id":"RHSA-2020:2483","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2483"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2487","reference_id":"RHSA-2020:2487","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2487"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2506","reference_id":"RHSA-2020:2506","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2506"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2509","reference_id":"RHSA-2020:2509","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2509"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2529","reference_id":"RHSA-2020:2529","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2529"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2530","reference_id":"RHSA-2020:2530","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2530"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:3017","reference_id":"RHSA-2020:3017","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:3017"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://usn.ubuntu.com/5360-1/","reference_id":"USN-5360-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5360-1/"},{"reference_url":"https://usn.ubuntu.com/6908-1/","reference_id":"USN-6908-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6908-1/"},{"reference_url":"https://usn.ubuntu.com/6943-1/","reference_id":"USN-6943-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6943-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/44799?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.104","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.104"},{"url":"http://public2.vulnerablecode.io/api/packages/45733?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.55","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-k9cg-ehdw-dbh6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.55"},{"url":"http://public2.vulnerablecode.io/api/packages/45352?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.35","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.35"},{"url":"http://public2.vulnerablecode.io/api/packages/206484?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.0-M5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-a8gk-n8bq-87cp"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.0-M5"}],"aliases":["CVE-2020-9484","GHSA-344f-f5vg-2jfj"],"risk_score":10.0,"exploitability":"2.0","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-66kh-s6cr-tqf9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4465?format=json","vulnerability_id":"VCID-a8gk-n8bq-87cp","summary":"When serving resources from a network location using the NTFS file system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39, 8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code disclosure in some configurations. The root cause was the unexpected behaviour of the JRE API File.getCanonicalPath() which in turn was caused by the inconsistent behaviour of the Windows API (FindFirstFileW) in some circumstances.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-24122.json","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-24122.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-24122","reference_id":"","reference_type":"","scores":[{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97947","published_at":"2026-04-16T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97941","published_at":"2026-04-13T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.9794","published_at":"2026-04-12T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97938","published_at":"2026-04-11T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97935","published_at":"2026-04-09T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97932","published_at":"2026-04-08T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97919","published_at":"2026-04-01T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97927","published_at":"2026-04-07T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97922","published_at":"2026-04-02T12:55:00Z"},{"value":"0.52591","scoring_system":"epss","scoring_elements":"0.97924","published_at":"2026-04-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-24122"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/7f004ac4531c45f9a2a2d1470561fe135cf27bc2"},{"reference_url":"https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e320177","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/800b03140e640f8892f27021e681645e8e320177"},{"reference_url":"https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/920dddbdb981f92e8d5872a4bb126a10af5ca8a9"},{"reference_url":"https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/935fc5582dc25ae10bab6f9d5629ff8d996cb533"},{"reference_url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52@%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r1595889b083e05986f42b944dc43060d6b083022260b6ea64d2cec52%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7382e1e35b9bc7c8f320b90ad77e74c13172d08034e20c18000fe710@%3Cdev.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r776c64337495bf28b7d5597268114a888e3fad6045c40a0da0c66d4d@%3Cdev.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7e0bb9ea415724550e2b325e143b23e269579e54d66fcd7754bd0c20@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb32a73b7cb919d4f44a2596b6b951274c0004fc8b0e393d6829a45f9@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rca833c6d42b7b9ce1563488c0929f29fcc95947d86e5e740258c8937@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24122","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-24122"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210212-0008","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210212-0008"},{"reference_url":"https://tomcat.apache.org/security-10.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-10.html"},{"reference_url":"https://tomcat.apache.org/security-7.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-7.html"},{"reference_url":"https://tomcat.apache.org/security-8.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-8.html"},{"reference_url":"https://tomcat.apache.org/security-9.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://tomcat.apache.org/security-9.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/01/14/1","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/01/14/1"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1917209","reference_id":"1917209","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1917209"},{"reference_url":"https://security.archlinux.org/AVG-1452","reference_id":"AVG-1452","reference_type":"","scores":[{"value":"High","scoring_system":"archlinux","scoring_elements":""}],"url":"https://security.archlinux.org/AVG-1452"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122","reference_id":"CVE-2021-24122","reference_type":"","scores":[{"value":"Important","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-24122"},{"reference_url":"https://github.com/advisories/GHSA-2rvv-w9r2-rg7m","reference_id":"GHSA-2rvv-w9r2-rg7m","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2rvv-w9r2-rg7m"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0494","reference_id":"RHSA-2021:0494","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0494"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0495","reference_id":"RHSA-2021:0495","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0495"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3425","reference_id":"RHSA-2021:3425","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3425"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77098?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.107","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.107"},{"url":"http://public2.vulnerablecode.io/api/packages/40990?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.60","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-cfhw-vmcp-y3bc"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-k9cg-ehdw-dbh6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.60"},{"url":"http://public2.vulnerablecode.io/api/packages/40991?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.40","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2rmy-13ym-3bgm"},{"vulnerability":"VCID-cfhw-vmcp-y3bc"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-stds-vw5z-auhp"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.40"},{"url":"http://public2.vulnerablecode.io/api/packages/77094?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.0-M10","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.0-M10"}],"aliases":["CVE-2021-24122","GHSA-2rvv-w9r2-rg7m"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-a8gk-n8bq-87cp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4477?format=json","vulnerability_id":"VCID-dzpn-w4b3-vbcm","summary":"When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-17563.json","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-17563.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-17563","reference_id":"","reference_type":"","scores":[{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87114","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87142","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87148","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87135","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87127","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87086","published_at":"2026-04-01T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87154","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87097","published_at":"2026-04-02T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87138","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0326","scoring_system":"epss","scoring_elements":"0.87107","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-17563"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"3.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/1ecba14e690cf5f3f143eef6ae7037a6d3c16652"},{"reference_url":"https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/e19a202ee43b6e2a538be5515ae0ab32d8ef112c"},{"reference_url":"https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/8b4c1db8300117b28a0f3f743c0b9e3f964687a690cdf9662a884bbd%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/reb9a66f176df29b9a832caa95ebd9ffa3284e8f4922ec4fa3ad8eb2e@%3Cissues.cxf.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17563","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-17563"},{"reference_url":"https://seclists.org/bugtraq/2019/Dec/43","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/bugtraq/2019/Dec/43"},{"reference_url":"https://security.gentoo.org/glsa/202003-43","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202003-43"},{"reference_url":"https://security.netapp.com/advisory/ntap-20200107-0001","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20200107-0001"},{"reference_url":"https://security.netapp.com/advisory/ntap-20200107-0001/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20200107-0001/"},{"reference_url":"https://usn.ubuntu.com/4251-1","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/4251-1"},{"reference_url":"https://usn.ubuntu.com/4251-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4251-1/"},{"reference_url":"https://www.debian.org/security/2019/dsa-4596","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4596"},{"reference_url":"https://www.debian.org/security/2020/dsa-4680","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4680"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1785711","reference_id":"1785711","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1785711"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563","reference_id":"CVE-2019-17563","reference_type":"","scores":[{"value":"Low","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563"},{"reference_url":"https://github.com/advisories/GHSA-9xcj-c8cr-8c3c","reference_id":"GHSA-9xcj-c8cr-8c3c","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9xcj-c8cr-8c3c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0860","reference_id":"RHSA-2020:0860","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0860"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0861","reference_id":"RHSA-2020:0861","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0861"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1520","reference_id":"RHSA-2020:1520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1520"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1521","reference_id":"RHSA-2020:1521","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1521"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4004","reference_id":"RHSA-2020:4004","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4004"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0882","reference_id":"RHSA-2021:0882","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0882"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1030","reference_id":"RHSA-2021:1030","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1030"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78836?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.99","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-rq42-qvsy-hue6"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.99"},{"url":"http://public2.vulnerablecode.io/api/packages/78837?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.50","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-k9cg-ehdw-dbh6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-rq42-qvsy-hue6"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.50"},{"url":"http://public2.vulnerablecode.io/api/packages/78838?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.30","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-rq42-qvsy-hue6"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.30"}],"aliases":["CVE-2019-17563","GHSA-9xcj-c8cr-8c3c"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dzpn-w4b3-vbcm"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/12525?format=json","vulnerability_id":"VCID-e7kd-kk57-mkd6","summary":"A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00066.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8022.json","reference_id":"","reference_type":"","scores":[{"value":"7.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8022.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8022","reference_id":"","reference_type":"","scores":[{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40578","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40476","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40556","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40583","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40505","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40555","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40566","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40586","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.40549","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00187","scoring_system":"epss","scoring_elements":"0.4053","published_at":"2026-04-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-8022"},{"reference_url":"https://bugzilla.suse.com/show_bug.cgi?id=1172405","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://bugzilla.suse.com/show_bug.cgi?id=1172405"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be@%3Cjava-dev.axis.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r393d4f431683e99c839b4aed68f720b8583bca6c35cd84adccaa02be@%3Cjava-dev.axis.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928@%3Cjava-dev.axis.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r5be80ba868a11a1f64e4922399f171b8619bca4bc2039f79cf913928@%3Cjava-dev.axis.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra87ec20a0f4b226c81c7eed27e5d7433ccdc41e61a8da408a45f0fa1@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf50d02409e5732c4ee37f19a193af171251a25a652599ce3c2bc69e7@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1852863","reference_id":"1852863","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1852863"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8022","reference_id":"CVE-2020-8022","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-8022"},{"reference_url":"https://github.com/advisories/GHSA-gc58-v8h3-x2gr","reference_id":"GHSA-gc58-v8h3-x2gr","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gc58-v8h3-x2gr"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/31977?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.0.53","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzpn-w4b3-vbcm"},{"vulnerability":"VCID-ruuh-g3fa-m7d8"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.0.53"},{"url":"http://public2.vulnerablecode.io/api/packages/45352?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.35","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.35"}],"aliases":["CVE-2020-8022","GHSA-gc58-v8h3-x2gr"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-e7kd-kk57-mkd6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4459?format=json","vulnerability_id":"VCID-kwab-3s4q-eka4","summary":"A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30640.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-30640.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30640","reference_id":"","reference_type":"","scores":[{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30113","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30098","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30148","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30191","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30188","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30152","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30093","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30275","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30226","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00115","scoring_system":"epss","scoring_elements":"0.30195","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-30640"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/apache/tomcat/commit/0a272b00aed57526dbfc8b881ab253c23c61f100","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/0a272b00aed57526dbfc8b881ab253c23c61f100"},{"reference_url":"https://github.com/apache/tomcat/commit/17208c645d68d2af1444ee8c64f36a9b8f0ba76f","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/17208c645d68d2af1444ee8c64f36a9b8f0ba76f"},{"reference_url":"https://github.com/apache/tomcat/commit/24dfb30076997b640e5123e92c4b8d7f206f609c","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/24dfb30076997b640e5123e92c4b8d7f206f609c"},{"reference_url":"https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/329932012d3a9b95fde0b18618416e659ecffdc0"},{"reference_url":"https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/3ce84512ed8783577d9945df28da5a033465b945"},{"reference_url":"https://github.com/apache/tomcat/commit/4e61e1d625a4a64d6b775e3a03c77a0b100d56d7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/4e61e1d625a4a64d6b775e3a03c77a0b100d56d7"},{"reference_url":"https://github.com/apache/tomcat/commit/4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/4e86b4ea0d1a9b00fa93971c31b93ad1bd49c7fe"},{"reference_url":"https://github.com/apache/tomcat/commit/6a9129ac9bd06555ce04bb564a76fc3987311f38","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/6a9129ac9bd06555ce04bb564a76fc3987311f38"},{"reference_url":"https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/749f3cc192c68c34f2375509aea087be45fc4434"},{"reference_url":"https://github.com/apache/tomcat/commit/79580e7f70a07c083be07307376511bb864d5a7b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/79580e7f70a07c083be07307376511bb864d5a7b"},{"reference_url":"https://github.com/apache/tomcat/commit/81f16b0a7186ed02efbfac336589d6cff28d1e89","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/81f16b0a7186ed02efbfac336589d6cff28d1e89"},{"reference_url":"https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/91ecdc61ce3420054c04114baaaf1c1e0cbd5d56"},{"reference_url":"https://github.com/apache/tomcat/commit/ad22db641dcd61c2e8078f658fa709897b5da375","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/ad22db641dcd61c2e8078f658fa709897b5da375"},{"reference_url":"https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/b5585a9e5d4fec020cc5ebadb82f899fae22bc43"},{"reference_url":"https://github.com/apache/tomcat/commit/b930d0b3161d9ec78d5fa57f886ed2de4680518b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/b930d0b3161d9ec78d5fa57f886ed2de4680518b"},{"reference_url":"https://github.com/apache/tomcat/commit/bd4d1fbe9146dff4714130594afd668406a6a5ef","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/bd4d1fbe9146dff4714130594afd668406a6a5ef"},{"reference_url":"https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/c4df8d44a959a937d507d15e5b1ca35c3dbc41eb"},{"reference_url":"https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/c6b6e1015ae44c936971b6bf8bce70987935b92e"},{"reference_url":"https://github.com/apache/tomcat/commit/c9f21a2a7908c7c4ecd4f9bb495d3ee36a2bd822","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/c9f21a2a7908c7c4ecd4f9bb495d3ee36a2bd822"},{"reference_url":"https://github.com/apache/tomcat/commit/d3407672774e372fae8b5898d55f85d16f22b972","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/d3407672774e372fae8b5898d55f85d16f22b972"},{"reference_url":"https://github.com/apache/tomcat/commit/d5303a506c7533803d2b3bc46e6120ce673a6667","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/d5303a506c7533803d2b3bc46e6120ce673a6667"},{"reference_url":"https://github.com/apache/tomcat/commit/e21eb4764ccda55e5a35a5a7c19a6fd2b0757fe9","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/e21eb4764ccda55e5a35a5a7c19a6fd2b0757fe9"},{"reference_url":"https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/e50067486cf86564175ca0cfdcbf7d209c6df862"},{"reference_url":"https://github.com/apache/tomcat/commit/eeb7351219bd8803c0053e1e80444664a7cf5b51","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/eeb7351219bd8803c0053e1e80444664a7cf5b51"},{"reference_url":"https://github.com/apache/tomcat/commit/f4d9bdef53ec009b7717620d890465fa273721a6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/f4d9bdef53ec009b7717620d890465fa273721a6"},{"reference_url":"https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r59f9ef03929d32120f91f4ea7e6e79edd5688d75d0a9b65fd26d1fe8%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/08/msg00009.html"},{"reference_url":"https://security.gentoo.org/glsa/202208-34","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202208-34"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210827-0007","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210827-0007"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210827-0007/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210827-0007/"},{"reference_url":"https://www.debian.org/security/2021/dsa-4952","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-4952"},{"reference_url":"https://www.debian.org/security/2021/dsa-4986","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-4986"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1981544","reference_id":"1981544","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1981544"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046","reference_id":"991046","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=991046"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640","reference_id":"CVE-2021-30640","reference_type":"","scores":[{"value":"Low","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30640","reference_id":"CVE-2021-30640","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-30640"},{"reference_url":"https://github.com/advisories/GHSA-36qh-35cm-5w2w","reference_id":"GHSA-36qh-35cm-5w2w","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-36qh-35cm-5w2w"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4861","reference_id":"RHSA-2021:4861","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4861"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:4863","reference_id":"RHSA-2021:4863","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:4863"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:1179","reference_id":"RHSA-2022:1179","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:1179"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://usn.ubuntu.com/5360-1/","reference_id":"USN-5360-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5360-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/37462?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.109","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7kd-kk57-mkd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.109"},{"url":"http://public2.vulnerablecode.io/api/packages/37464?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.66","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.66"},{"url":"http://public2.vulnerablecode.io/api/packages/37466?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.46","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-stds-vw5z-auhp"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.46"},{"url":"http://public2.vulnerablecode.io/api/packages/37468?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.6"}],"aliases":["CVE-2021-30640","GHSA-36qh-35cm-5w2w"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-kwab-3s4q-eka4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4463?format=json","vulnerability_id":"VCID-n3ab-nk7c-hqc9","summary":"The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-25329.json","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-25329.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25329","reference_id":"","reference_type":"","scores":[{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.76928","published_at":"2026-04-01T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.77031","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.7699","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.76995","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.77016","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.76989","published_at":"2026-04-09T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.76978","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.76934","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.76964","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01001","scoring_system":"epss","scoring_elements":"0.76946","published_at":"2026-04-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2021-25329"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/4785433a226a20df6acbea49296e1ce7e23de453"},{"reference_url":"https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/6d66e99ef85da93e4d2c2a536ca51aa3418bfaf4"},{"reference_url":"https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/74b105657ffbd1d1de80455f03446c3bbf30d1f5"},{"reference_url":"https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/93f0cc403a9210d469afc2bd9cf03ab3251c6f35"},{"reference_url":"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r11ce01e8a4c7269b88f88212f21830edf73558997ac7744f37769b77@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r732b2ca289dc02df2de820e8775559abd6c207f159e39f559547a085@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r8a2ac0e476dbfc1e6440b09dcc782d444ad635d6da26f0284725a5dc@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rb51ccd58b2152fc75125b2406fc93e04ca9d34e737263faa6ff0f41f@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rf6d5d57b114678d8898005faef31e9fd6d7c981fcc4ccfc3bc272fc9@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rfe62fbf9d4c314f166fe8c668e50e5d9dd882a99447f26f0367474bf%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2021/03/msg00018.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25329","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-25329"},{"reference_url":"https://security.gentoo.org/glsa/202208-34","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202208-34"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210409-0002","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20210409-0002"},{"reference_url":"https://security.netapp.com/advisory/ntap-20210409-0002/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20210409-0002/"},{"reference_url":"https://www.debian.org/security/2021/dsa-4891","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2021/dsa-4891"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2022.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"reference_url":"https://www.oracle.com//security-alerts/cpujul2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2021.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"reference_url":"http://www.openwall.com/lists/oss-security/2021/03/01/2","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.openwall.com/lists/oss-security/2021/03/01/2"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1934061","reference_id":"1934061","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1934061"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329","reference_id":"CVE-2021-25329","reference_type":"","scores":[{"value":"Low","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329"},{"reference_url":"https://github.com/advisories/GHSA-jgwr-3qm3-26f3","reference_id":"GHSA-jgwr-3qm3-26f3","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-jgwr-3qm3-26f3"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2561","reference_id":"RHSA-2021:2561","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2561"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:2562","reference_id":"RHSA-2021:2562","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:2562"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:3425","reference_id":"RHSA-2021:3425","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:3425"},{"reference_url":"https://access.redhat.com/errata/RHSA-2022:5532","reference_id":"RHSA-2022:5532","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2022:5532"},{"reference_url":"https://usn.ubuntu.com/5360-1/","reference_id":"USN-5360-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5360-1/"},{"reference_url":"https://usn.ubuntu.com/6908-1/","reference_id":"USN-6908-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6908-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/77098?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.107","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.107"},{"url":"http://public2.vulnerablecode.io/api/packages/75951?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.108","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.108"},{"url":"http://public2.vulnerablecode.io/api/packages/75950?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.61","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-k9cg-ehdw-dbh6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.61"},{"url":"http://public2.vulnerablecode.io/api/packages/75949?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.41","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-stds-vw5z-auhp"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.41"},{"url":"http://public2.vulnerablecode.io/api/packages/39433?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-wptr-hkjx-s7c3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@10.0.2"}],"aliases":["CVE-2021-25329","GHSA-jgwr-3qm3-26f3"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n3ab-nk7c-hqc9"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4478?format=json","vulnerability_id":"VCID-ruuh-g3fa-m7d8","summary":"When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00013.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12418.json","reference_id":"","reference_type":"","scores":[{"value":"7.4","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-12418.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12418","reference_id":"","reference_type":"","scores":[{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57778","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57832","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57827","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57772","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57798","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57803","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57824","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57694","published_at":"2026-04-01T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57846","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00355","scoring_system":"epss","scoring_elements":"0.57829","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2019-12418"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/apache/tomcat/commit/1fc9f589dbdd8295cf313b2667ab041c425f99c3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/1fc9f589dbdd8295cf313b2667ab041c425f99c3"},{"reference_url":"https://github.com/apache/tomcat/commit/a91d7db4047d372b2f12999d3cf2bc3254c20d00","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/a91d7db4047d372b2f12999d3cf2bc3254c20d00"},{"reference_url":"https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/bef3f40400243348d12f4abfe9b413f43897c02b"},{"reference_url":"https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/43530b91506e2e0c11cfbe691173f5df8c48f51b98262426d7493b67%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/01/msg00024.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00029.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12418","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-12418"},{"reference_url":"https://seclists.org/bugtraq/2019/Dec/43","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://seclists.org/bugtraq/2019/Dec/43"},{"reference_url":"https://security.gentoo.org/glsa/202003-43","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202003-43"},{"reference_url":"https://security.netapp.com/advisory/ntap-20200107-0001","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20200107-0001"},{"reference_url":"https://security.netapp.com/advisory/ntap-20200107-0001/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20200107-0001/"},{"reference_url":"https://support.f5.com/csp/article/K10107360?utm_source=f5support&utm_medium=RSS","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://support.f5.com/csp/article/K10107360?utm_source=f5support&utm_medium=RSS"},{"reference_url":"https://usn.ubuntu.com/4251-1","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/4251-1"},{"reference_url":"https://usn.ubuntu.com/4251-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4251-1/"},{"reference_url":"https://www.debian.org/security/2019/dsa-4596","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2019/dsa-4596"},{"reference_url":"https://www.debian.org/security/2020/dsa-4680","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4680"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[{"value":"7.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1785699","reference_id":"1785699","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1785699"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418","reference_id":"CVE-2019-12418","reference_type":"","scores":[{"value":"Moderate","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418"},{"reference_url":"https://github.com/advisories/GHSA-hh3j-x4mc-g48r","reference_id":"GHSA-hh3j-x4mc-g48r","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hh3j-x4mc-g48r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0860","reference_id":"RHSA-2020:0860","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0860"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:0861","reference_id":"RHSA-2020:0861","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:0861"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1520","reference_id":"RHSA-2020:1520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1520"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1521","reference_id":"RHSA-2020:1521","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1521"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/78836?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.99","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-rq42-qvsy-hue6"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.99"},{"url":"http://public2.vulnerablecode.io/api/packages/78859?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.49","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-dzpn-w4b3-vbcm"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-k9cg-ehdw-dbh6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-rq42-qvsy-hue6"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.49"},{"url":"http://public2.vulnerablecode.io/api/packages/78860?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.29","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-dzpn-w4b3-vbcm"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-rq42-qvsy-hue6"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.29"}],"aliases":["CVE-2019-12418","GHSA-hh3j-x4mc-g48r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ruuh-g3fa-m7d8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4475?format=json","vulnerability_id":"VCID-yfx4-4gsc-2kgh","summary":"In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered unlikely.","references":[{"reference_url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00025.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1935.json","reference_id":"","reference_type":"","scores":[{"value":"4.3","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-1935.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1935","reference_id":"","reference_type":"","scores":[{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80223","published_at":"2026-04-16T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80213","published_at":"2026-04-11T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.802","published_at":"2026-04-12T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80194","published_at":"2026-04-13T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80186","published_at":"2026-04-08T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80158","published_at":"2026-04-07T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80169","published_at":"2026-04-04T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80149","published_at":"2026-04-02T12:55:00Z"},{"value":"0.01366","scoring_system":"epss","scoring_elements":"0.80142","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2020-1935"},{"reference_url":"https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/702bf15bea292915684d931526d95d4990b2e73d"},{"reference_url":"https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/8bfb0ff7f25fe7555a5eb2f7984f73546c11aa26"},{"reference_url":"https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/apache/tomcat/commit/8fbe2e962f0ea138d92361921643fe5abe0c4f56"},{"reference_url":"https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r127f76181aceffea2bd4711b03c595d0f115f63e020348fe925a916c%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r441c1f30a252bf14b07396286f6abd8089ce4240e91323211f1a2d75@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r660cd379afe346f10d72c0eaa8459ccc95d83aff181671b7e9076919@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r7bc994c965a34876bd94d5ff15b4e1e30b6220a15eb9b47c81915b78@%3Ccommits.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r80e9c8417c77d52c62809168b96912bda70ddf7748f19f8210f745b1@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9ce7918faf347e7aac32be930bf26c233b0b140fe37af0bb294158b6@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/ra5dee390ad2d60307b8362505c059cd6a726de4d146d63dfce1e05e7@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rc31cbabb46cdc58bbdd8519a8f64b6236b2635a3922bbeba0f0e3743@%3Ccommits.tomee.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/rd547be0c9d821b4b1000a694b8e58ef9f5e2d66db03a31dfe77c4b18@%3Cusers.tomcat.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/03/msg00006.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2020/05/msg00026.html"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1935","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1935"},{"reference_url":"https://security.netapp.com/advisory/ntap-20200327-0005","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20200327-0005"},{"reference_url":"https://security.netapp.com/advisory/ntap-20200327-0005/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20200327-0005/"},{"reference_url":"https://usn.ubuntu.com/4448-1","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/4448-1"},{"reference_url":"https://usn.ubuntu.com/4448-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/4448-1/"},{"reference_url":"https://www.debian.org/security/2020/dsa-4673","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4673"},{"reference_url":"https://www.debian.org/security/2020/dsa-4680","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2020/dsa-4680"},{"reference_url":"https://www.oracle.com/security-alerts/cpujan2021.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujan2021.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpujul2020.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpujul2020.html"},{"reference_url":"https://www.oracle.com/security-alerts/cpuoct2020.html","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuoct2020.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1806835","reference_id":"1806835","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1806835"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935","reference_id":"CVE-2020-1935","reference_type":"","scores":[{"value":"Low","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935"},{"reference_url":"https://github.com/advisories/GHSA-qxf4-chvg-4r8r","reference_id":"GHSA-qxf4-chvg-4r8r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-qxf4-chvg-4r8r"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1520","reference_id":"RHSA-2020:1520","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1520"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:1521","reference_id":"RHSA-2020:1521","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:1521"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:2367","reference_id":"RHSA-2020:2367","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:2367"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:3303","reference_id":"RHSA-2020:3303","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:3303"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:3305","reference_id":"RHSA-2020:3305","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:3305"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:4847","reference_id":"RHSA-2020:4847","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:4847"},{"reference_url":"https://access.redhat.com/errata/RHSA-2020:5020","reference_id":"RHSA-2020:5020","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2020:5020"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:0882","reference_id":"RHSA-2021:0882","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:0882"},{"reference_url":"https://access.redhat.com/errata/RHSA-2021:1030","reference_id":"RHSA-2021:1030","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2021:1030"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73089?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.100","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.100"},{"url":"http://public2.vulnerablecode.io/api/packages/73090?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.51","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-k9cg-ehdw-dbh6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.51"},{"url":"http://public2.vulnerablecode.io/api/packages/73091?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.31","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-p8q2-pt96-5ye8"},{"vulnerability":"VCID-qkx6-32cj-jfbp"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.31"}],"aliases":["CVE-2020-1935","GHSA-qxf4-chvg-4r8r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yfx4-4gsc-2kgh"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/4490?format=json","vulnerability_id":"VCID-2sbh-sy57-3uez","summary":"The URL pattern of \"\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.","references":[{"reference_url":"https://access.redhat.com/errata/RHSA-2018:0465","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:0465"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:0466","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:0466"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1320","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1320"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1447","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1447"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1448","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1448"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1449","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1449"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1450","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1450"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:1451","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:1451"},{"reference_url":"https://access.redhat.com/errata/RHSA-2018:2939","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2018:2939"},{"reference_url":"https://access.redhat.com/errata/RHSA-2019:2205","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://access.redhat.com/errata/RHSA-2019:2205"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1304.json","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1304.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1304","reference_id":"","reference_type":"","scores":[{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.8395","published_at":"2026-04-08T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83986","published_at":"2026-04-16T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83962","published_at":"2026-04-13T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83966","published_at":"2026-04-12T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83972","published_at":"2026-04-11T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83957","published_at":"2026-04-09T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83927","published_at":"2026-04-07T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83924","published_at":"2026-04-04T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83908","published_at":"2026-04-02T12:55:00Z"},{"value":"0.02075","scoring_system":"epss","scoring_elements":"0.83893","published_at":"2026-04-01T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2018-1304"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/apache/tomcat","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat"},{"reference_url":"https://github.com/apache/tomcat80/commit/9e700b93e3bf5c605267d20568a964169f9e0b79","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat80/commit/9e700b93e3bf5c605267d20568a964169f9e0b79"},{"reference_url":"https://github.com/apache/tomcat/commit/2d69fde135302e8cff984bb2131ec69f2e396964","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/2d69fde135302e8cff984bb2131ec69f2e396964"},{"reference_url":"https://github.com/apache/tomcat/commit/5af7c13cff7cc8366c5997418e820989fabb8f48","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/5af7c13cff7cc8366c5997418e820989fabb8f48"},{"reference_url":"https://github.com/apache/tomcat/commit/723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/apache/tomcat/commit/723ea6a5bc5e7bc49e5ef84273c3b3c164a6a4fd"},{"reference_url":"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb@%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/b1d7e2425d6fd2cebed40d318f9365b44546077e10949b01b1f8a0fb%40%3Cannounce.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/03/msg00004.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/06/msg00008.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00044.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20180706-0001","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.netapp.com/advisory/ntap-20180706-0001"},{"reference_url":"https://security.netapp.com/advisory/ntap-20180706-0001/","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20180706-0001/"},{"reference_url":"https://svn.apache.org/viewvc?view=rev&rev=1823306","reference_id":"","reference_type":"","scores":[],"url":"https://svn.apache.org/viewvc?view=rev&rev=1823306"},{"reference_url":"https://svn.apache.org/viewvc?view=rev&rev=1823307","reference_id":"","reference_type":"","scores":[],"url":"https://svn.apache.org/viewvc?view=rev&rev=1823307"},{"reference_url":"https://svn.apache.org/viewvc?view=rev&rev=1823308","reference_id":"","reference_type":"","scores":[],"url":"https://svn.apache.org/viewvc?view=rev&rev=1823308"},{"reference_url":"https://svn.apache.org/viewvc?view=rev&rev=1823309","reference_id":"","reference_type":"","scores":[],"url":"https://svn.apache.org/viewvc?view=rev&rev=1823309"},{"reference_url":"https://usn.ubuntu.com/3665-1","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://usn.ubuntu.com/3665-1"},{"reference_url":"https://usn.ubuntu.com/3665-1/","reference_id":"","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/3665-1/"},{"reference_url":"https://web.archive.org/web/20200227102806/http://www.securityfocus.com/bid/103170","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200227102806/http://www.securityfocus.com/bid/103170"},{"reference_url":"https://web.archive.org/web/20200516074457/http://www.securitytracker.com/id/1040427","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20200516074457/http://www.securitytracker.com/id/1040427"},{"reference_url":"https://www.debian.org/security/2018/dsa-4281","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.debian.org/security/2018/dsa-4281"},{"reference_url":"https://www.oracle.com/security-alerts/cpuapr2020.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/security-alerts/cpuapr2020.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"},{"reference_url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html"},{"reference_url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"},{"reference_url":"http://www.securityfocus.com/bid/103170","reference_id":"","reference_type":"","scores":[],"url":"http://www.securityfocus.com/bid/103170"},{"reference_url":"http://www.securitytracker.com/id/1040427","reference_id":"","reference_type":"","scores":[],"url":"http://www.securitytracker.com/id/1040427"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1548289","reference_id":"1548289","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1548289"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304","reference_id":"CVE-2018-1304","reference_type":"","scores":[{"value":"Important","scoring_system":"apache_tomcat","scoring_elements":""}],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1304"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1304","reference_id":"CVE-2018-1304","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2018-1304"},{"reference_url":"https://github.com/advisories/GHSA-6rxj-58jh-436r","reference_id":"GHSA-6rxj-58jh-436r","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-6rxj-58jh-436r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32085?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.86","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-dzpn-w4b3-vbcm"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-ruuh-g3fa-m7d8"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.86"},{"url":"http://public2.vulnerablecode.io/api/packages/32083?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.0.51","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzpn-w4b3-vbcm"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-ruuh-g3fa-m7d8"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.0.51"},{"url":"http://public2.vulnerablecode.io/api/packages/77708?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.28","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39e3-jfbg-s3hk"},{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-5etb-njwf-rfdu"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-dzpn-w4b3-vbcm"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-k9cg-ehdw-dbh6"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-ruuh-g3fa-m7d8"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@8.5.28"},{"url":"http://public2.vulnerablecode.io/api/packages/32025?format=json","purl":"pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-39e3-jfbg-s3hk"},{"vulnerability":"VCID-46bv-6b7y-3bca"},{"vulnerability":"VCID-5etb-njwf-rfdu"},{"vulnerability":"VCID-66kh-s6cr-tqf9"},{"vulnerability":"VCID-a8gk-n8bq-87cp"},{"vulnerability":"VCID-ayrd-8ntf-hkh3"},{"vulnerability":"VCID-dy6m-zt6r-9ubd"},{"vulnerability":"VCID-dzan-r49k-kqab"},{"vulnerability":"VCID-dzpn-w4b3-vbcm"},{"vulnerability":"VCID-e7kd-kk57-mkd6"},{"vulnerability":"VCID-fpgj-82wf-ykbw"},{"vulnerability":"VCID-j6cj-ftyd-3ffa"},{"vulnerability":"VCID-j8tk-s915-pbfy"},{"vulnerability":"VCID-kwab-3s4q-eka4"},{"vulnerability":"VCID-n3ab-nk7c-hqc9"},{"vulnerability":"VCID-nmq2-8ysj-4fbc"},{"vulnerability":"VCID-ran8-rnqn-tkbc"},{"vulnerability":"VCID-ruuh-g3fa-m7d8"},{"vulnerability":"VCID-t2ne-75ck-eqcr"},{"vulnerability":"VCID-v7tp-1t4h-zqeg"},{"vulnerability":"VCID-vsdf-4tfj-uybe"},{"vulnerability":"VCID-yfx4-4gsc-2kgh"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@9.0.5"}],"aliases":["CVE-2018-1304","GHSA-6rxj-58jh-436r"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2sbh-sy57-3uez"}],"risk_score":"10.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/org.apache.tomcat.embed/tomcat-embed-core@7.0.86"}