VulnerableCode Package Details - pkg:maven/org.apache.tomcat/tomcat@10.1.31

Search for packages

Package details: pkg:maven/org.apache.tomcat/tomcat@10.1.31

Essentials
History (31)

purl	pkg:maven/org.apache.tomcat/tomcat@10.1.31

Next non-vulnerable version	None.
Latest non-vulnerable version	None.
Risk	10.0

Vulnerabilities affecting this package (7)

Vulnerability	Summary	Fixed by
VCID-ah95-hj74-aaaq Aliases: CVE-2017-12617 GHSA-xjgh-84hx-56c5	Unrestricted Upload of File with Dangerous Type When running Apache Tomcat with HTTP PUTs enabled it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.	There are no reported fixed by versions.
VCID-cq15-t76b-ryd9 Aliases: CVE-2024-52318 GHSA-f632-9449-3j4w	Incorrect object recycling and reuse vulnerability in Apache Tomcat. This issue affects Apache Tomcat: 11.0.0, 10.1.31, 9.0.96. Users are recommended to upgrade to version 11.0.1, 10.1.32 or 9.0.97, which fixes the issue.	10.1.33 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.1 Affected by 6 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-g1y6-gy6q-kbfm Aliases: CVE-2024-56337 GHSA-27hp-xhwr-wr2m	Apache Tomcat Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability	10.1.34 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-gyd5-cdaj-aaae Aliases: CVE-2022-29885 GHSA-r84p-88g2-2vx2	Uncontrolled Resource Consumption The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.	There are no reported fixed by versions.
VCID-ma76-864y-aaaf Aliases: CVE-2005-4836 GHSA-qrcx-p4rr-g48h	The HTTP/1.1 connector in Apache Tomcat 4.1.15 through 4.1.40 does not reject NULL bytes in a URL when allowLinking is configured, which allows remote attackers to read JSP source files and obtain sensitive information.	There are no reported fixed by versions.
VCID-mmcg-y2kn-aaab Aliases: CVE-2013-4286 GHSA-j448-j653-r3vj	Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.	There are no reported fixed by versions.
VCID-xwgq-td7d-uydt Aliases: CVE-2025-24813 GHSA-83qj-6fr2-vhqg	tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT	10.1.35 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 11.0.3 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (2)

Vulnerability	Summary	Aliases
VCID-cvmu-3hdx-3kdn	Incorrect object re-cycling and re-use vulnerability in Apache Tomcat. Incorrect recycling of the request and response used by HTTP/2 requests could lead to request and/or response mix-up between users. This issue affects Apache Tomcat: from 11.0.0-M23 through 11.0.0-M26, from 10.1.27 through 10.1.30, from 9.0.92 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fixes the issue.	CVE-2024-52317 GHSA-qvf5-hvjx-wm27
VCID-s7md-7wyb-d3dp	Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.	CVE-2024-52316 GHSA-xcpr-7mr4-h4xq

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2025-06-21T19:23:08.740825+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-10.html	36.1.3
2025-06-21T19:22:53.178802+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-10.html	36.1.3
2025-06-21T19:22:33.098692+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.1.3
2025-06-21T19:22:24.434289+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.1.3
2025-06-20T15:38:54.496444+00:00	GitLab Importer	Affected by	VCID-gyd5-cdaj-aaae	None	36.1.3
2025-06-05T11:12:20.110766+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-10.html	36.1.0
2025-06-05T11:12:07.562300+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-10.html	36.1.0
2025-06-05T11:11:51.228513+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.1.0
2025-06-05T11:11:44.038332+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.1.0
2025-06-03T22:19:11.817719+00:00	GitLab Importer	Affected by	VCID-gyd5-cdaj-aaae	None	36.1.0
2025-06-03T00:01:55.373183+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-10.html	36.1.2
2025-06-03T00:01:42.985631+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-10.html	36.1.2
2025-06-03T00:01:26.804873+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.1.2
2025-06-03T00:01:19.893127+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.1.2
2025-06-02T22:07:52.241730+00:00	GitLab Importer	Affected by	VCID-gyd5-cdaj-aaae	None	36.1.2
2025-04-07T11:50:59.981385+00:00	Apache Tomcat Importer	Affected by	VCID-xwgq-td7d-uydt	https://tomcat.apache.org/security-10.html	36.0.0
2025-04-07T11:50:23.274704+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-10.html	36.0.0
2025-04-07T11:49:35.747443+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	36.0.0
2025-04-07T11:49:15.082070+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	36.0.0
2025-04-03T19:34:55.134265+00:00	GitLab Importer	Affected by	VCID-gyd5-cdaj-aaae	None	36.0.0
2025-02-22T08:04:06.138099+00:00	Apache Tomcat Importer	Affected by	VCID-g1y6-gy6q-kbfm	https://tomcat.apache.org/security-10.html	35.1.0
2025-02-22T08:01:35.971442+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	None	35.1.0
2025-02-22T08:01:32.203584+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	35.1.0
2025-02-18T00:41:49.549487+00:00	GitLab Importer	Affected by	VCID-gyd5-cdaj-aaae	None	35.1.0
2024-11-24T14:59:56.177767+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	35.0.0
2024-11-18T23:02:23.408769+00:00	Apache Tomcat Importer	Fixing	VCID-s7md-7wyb-d3dp	https://tomcat.apache.org/security-10.html	34.3.2
2024-11-18T23:02:23.086599+00:00	Apache Tomcat Importer	Fixing	VCID-cvmu-3hdx-3kdn	https://tomcat.apache.org/security-10.html	34.3.2
2024-11-18T23:02:22.754130+00:00	Apache Tomcat Importer	Affected by	VCID-cq15-t76b-ryd9	https://tomcat.apache.org/security-10.html	34.3.2
2024-10-16T21:14:24.139078+00:00	GHSA Importer	Affected by	VCID-ah95-hj74-aaaq	https://github.com/advisories/GHSA-xjgh-84hx-56c5	34.0.2
2024-10-11T09:25:29.275963+00:00	Apache Tomcat Importer	Affected by	VCID-mmcg-y2kn-aaab	https://tomcat.apache.org/security-8.html	34.0.2
2024-10-11T09:25:16.173801+00:00	Apache Tomcat Importer	Affected by	VCID-ma76-864y-aaaf	https://tomcat.apache.org/security-4.html	34.0.2