Search for packages
| purl | pkg:apache/tomcat@11.0.0-M12 |
| Next non-vulnerable version | 11.0.0-M17 |
| Latest non-vulnerable version | 11.0.8 |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7sta-sz5f-aaap
Aliases: CVE-2023-28708 GHSA-2c9m-w27f-53rm |
Apache Tomcat vulnerable to Unprotected Transport of Credentials |
Affected by 3 other vulnerabilities. |
|
VCID-ah95-hj74-aaaq
Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5 |
Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. | There are no reported fixed by versions. |
|
VCID-ma76-864y-aaaf
Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h |
The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-6y3x-kyj7-aaaf | The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023. |
CVE-2023-44487
GHSA-qppj-fm5r-hxr3 VSV00013 |
| VCID-f68z-z5n7-aaae | Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. |
CVE-2023-42795
GHSA-g8pj-r55q-5c2v |
| VCID-r78u-gre6-aaaj | Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. |
CVE-2023-45648
GHSA-r6j3-px5g-cq3x |
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-03-28T13:19:12.976015+00:00 | Apache Tomcat Importer | Fixing | VCID-f68z-z5n7-aaae | https://tomcat.apache.org/security-11.html | 36.0.0 |
| 2025-03-28T13:19:12.919102+00:00 | Apache Tomcat Importer | Fixing | VCID-6y3x-kyj7-aaaf | https://tomcat.apache.org/security-11.html | 36.0.0 |
| 2025-03-28T13:19:12.860230+00:00 | Apache Tomcat Importer | Fixing | VCID-r78u-gre6-aaaj | https://tomcat.apache.org/security-11.html | 36.0.0 |
| 2024-09-18T08:17:24.349674+00:00 | Apache Tomcat Importer | Fixing | VCID-f68z-z5n7-aaae | https://tomcat.apache.org/security-11.html | 34.0.1 |
| 2024-09-18T08:17:24.295683+00:00 | Apache Tomcat Importer | Fixing | VCID-6y3x-kyj7-aaaf | https://tomcat.apache.org/security-11.html | 34.0.1 |
| 2024-09-18T08:17:24.196489+00:00 | Apache Tomcat Importer | Fixing | VCID-r78u-gre6-aaaj | https://tomcat.apache.org/security-11.html | 34.0.1 |
| 2024-01-04T02:15:29.522689+00:00 | Apache Tomcat Importer | Fixing | VCID-f68z-z5n7-aaae | https://tomcat.apache.org/security-11.html | 34.0.0rc1 |
| 2024-01-04T02:15:29.472270+00:00 | Apache Tomcat Importer | Fixing | VCID-6y3x-kyj7-aaaf | https://tomcat.apache.org/security-11.html | 34.0.0rc1 |
| 2024-01-04T02:15:29.421501+00:00 | Apache Tomcat Importer | Fixing | VCID-r78u-gre6-aaaj | https://tomcat.apache.org/security-11.html | 34.0.0rc1 |