VulnerableCode Package Details - pkg:apache/tomcat@9.0.80

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-6y3x-kyj7-aaaf Aliases: CVE-2023-44487 GHSA-qppj-fm5r-hxr3 VSV00013	The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.	9.0.81 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.0.14 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.14 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.
VCID-aznr-24qt-aaaa Aliases: CVE-2023-42794 GHSA-jm7m-8jh6-29hp	Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.	9.0.81 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-f68z-z5n7-aaae Aliases: CVE-2023-42795 GHSA-g8pj-r55q-5c2v	Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.	9.0.81 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.0.14 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.14 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ma76-864y-aaaf Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.	There are no reported fixed by versions.
VCID-r78u-gre6-aaaj Aliases: CVE-2023-45648 GHSA-r6j3-px5g-cq3x	Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue.	9.0.81 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.0.14 Affected by 7 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 10.1.14 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.0-M12 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Next non-vulnerable version	9.0.86
Latest non-vulnerable version	11.0.8
Risk	10.0

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-03-28T13:19:16.667917+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:16.607781+00:00	Apache Tomcat Importer	Affected by	VCID-aznr-24qt-aaaa	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:16.555676+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:16.504342+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-9.html	36.0.0
2025-03-28T13:19:16.442295+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-9.html	36.0.0
2024-09-18T08:17:27.496087+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:27.319788+00:00	Apache Tomcat Importer	Affected by	VCID-aznr-24qt-aaaa	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:27.271542+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:27.224126+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-9.html	34.0.1
2024-09-18T08:17:27.171897+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-9.html	34.0.1
2024-01-04T02:15:32.043496+00:00	Apache Tomcat Importer	Fixing	VCID-e318-2aad-aaag	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:31.986473+00:00	Apache Tomcat Importer	Affected by	VCID-aznr-24qt-aaaa	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:31.935144+00:00	Apache Tomcat Importer	Affected by	VCID-f68z-z5n7-aaae	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:31.883409+00:00	Apache Tomcat Importer	Affected by	VCID-6y3x-kyj7-aaaf	https://tomcat.apache.org/security-9.html	34.0.0rc1
2024-01-04T02:15:31.832641+00:00	Apache Tomcat Importer	Affected by	VCID-r78u-gre6-aaaj	https://tomcat.apache.org/security-9.html	34.0.0rc1