VulnerableCode Package Details - pkg:apache/tomcat@9.0.0%2BM13

Search for packages

Vulnerability	Summary	Fixed by
VCID-p378-4jg4-aaam Aliases: CVE-2016-8745 GHSA-w3j5-q8f2-3cqq	Information Exposure A bug in the error handling of the NIO HTTP connector in Apache Tomcat resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage.	9.0.0+M15 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-p378-4jg4-aaam
Aliases:
CVE-2016-8745
GHSA-w3j5-q8f2-3cqq

Information Exposure A bug in the error handling of the NIO HTTP connector in Apache Tomcat resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage.

9.0.0+M15
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-q1t4-rzf5-aaac	The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.	CVE-2016-6816 GHSA-jc7p-5r39-9477
VCID-sc5t-244h-aaas	Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.	CVE-2016-8735 GHSA-cw54-59pw-4g8c
VCID-thqm-a8vn-aaap	The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.	CVE-2016-6817 GHSA-698c-2x4j-g9gq

Vulnerability

Summary

Aliases

VCID-q1t4-rzf5-aaac

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.

CVE-2016-6816
GHSA-jc7p-5r39-9477

VCID-sc5t-244h-aaas

Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.

CVE-2016-8735
GHSA-cw54-59pw-4g8c

VCID-thqm-a8vn-aaap

The HTTP/2 header parser in Apache Tomcat 9.0.0.M1 to 9.0.0.M11 and 8.5.0 to 8.5.6 entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible.

CVE-2016-6817
GHSA-698c-2x4j-g9gq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T13:19:20.212004+00:00	Apache Tomcat Importer	Fixing	VCID-q1t4-rzf5-aaac	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:20.157583+00:00	Apache Tomcat Importer	Fixing	VCID-thqm-a8vn-aaap	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:20.102844+00:00	Apache Tomcat Importer	Fixing	VCID-sc5t-244h-aaas	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:20.043147+00:00	Apache Tomcat Importer	Affected by	VCID-p378-4jg4-aaam	https://tomcat.apache.org/security-9.html	36.0.0
2024-09-18T08:17:30.929446+00:00	Apache Tomcat Importer	Fixing	VCID-q1t4-rzf5-aaac	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:30.872844+00:00	Apache Tomcat Importer	Fixing	VCID-thqm-a8vn-aaap	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:30.816297+00:00	Apache Tomcat Importer	Fixing	VCID-sc5t-244h-aaas	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:30.758255+00:00	Apache Tomcat Importer	Affected by	VCID-p378-4jg4-aaam	https://tomcat.apache.org/security-9.html	34.0.1
2024-01-04T02:15:35.031237+00:00	Apache Tomcat Importer	Fixing	VCID-q1t4-rzf5-aaac	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:34.983951+00:00	Apache Tomcat Importer	Fixing	VCID-thqm-a8vn-aaap	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:34.935935+00:00	Apache Tomcat Importer	Fixing	VCID-sc5t-244h-aaas	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:34.884596+00:00	Apache Tomcat Importer	Affected by	VCID-p378-4jg4-aaam	https://tomcat.apache.org/security-9.html	34.0.0rc1