Search for packages
| purl | pkg:maven/org.apache.tomcat/tomcat@8.0.37 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7b1n-ck2m-rbfu
Aliases: CVE-2017-5647 GHSA-3gv7-3h64-78cm |
Affected by 10 other vulnerabilities. Affected by 9 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
|
VCID-ay1a-2g1h-hkau
Aliases: CVE-2020-1745 GHSA-gv2w-88hx-8m9r |
Improper Authorization in Undertoe A file inclusion vulnerability was found in the AJP connector enabled with a default AJP configuration port of 8009 in Undertow version 2.0.29.Final and before and was fixed in 2.0.30.Final. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution. |
Affected by 14 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-j52h-jxrq-43g1
Aliases: CVE-2016-6816 GHSA-jc7p-5r39-9477 |
Affected by 12 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
|
VCID-j8tv-cs47-93h9
Aliases: CVE-2018-8014 GHSA-r4x2-3cq5-hqvp |
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-ks1b-8a8q-bker
Aliases: CVE-2018-8034 GHSA-46j3-r4pj-4835 |
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. |
Affected by 2 other vulnerabilities. Affected by 22 other vulnerabilities. Affected by 22 other vulnerabilities. |
|
VCID-kuap-mmfh-jyhr
Aliases: CVE-2016-8735 GHSA-cw54-59pw-4g8c |
Affected by 12 other vulnerabilities. Affected by 2 other vulnerabilities. Affected by 36 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 14 other vulnerabilities. |
|
|
VCID-nq3y-spqj-qyca
Aliases: CVE-2018-1305 GHSA-jx6h-3fjx-cgv5 |
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. |
Affected by 6 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 26 other vulnerabilities. |
|
VCID-ps1f-p4ds-zbgc
Aliases: CVE-2020-8022 GHSA-gc58-v8h3-x2gr |
Incorrect Default Permissions in Apache Tomcat ### Withdrawn As per https://lists.apache.org/thread/0z644xfjo49pn2oxcp9qslkvhhw4tb7q this issue only affects the SUSE built artifacts of tomcat and is not relevant for the artifacts on maven central. ### Original Advisory A Incorrect Default Permissions vulnerability in the packaging of tomcat on SUSE Enterprise Storage 5, SUSE Linux Enterprise Server 12-SP2-BCL, SUSE Linux Enterprise Server 12-SP2-LTSS, SUSE Linux Enterprise Server 12-SP3-BCL, SUSE Linux Enterprise Server 12-SP3-LTSS, SUSE Linux Enterprise Server 12-SP4, SUSE Linux Enterprise Server 12-SP5, SUSE Linux Enterprise Server 15-LTSS, SUSE Linux Enterprise Server for SAP 12-SP2, SUSE Linux Enterprise Server for SAP 12-SP3, SUSE Linux Enterprise Server for SAP 15, SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud Crowbar 8 allows local attackers to escalate from group tomcat to root. This issue affects: SUSE Enterprise Storage 5 tomcat versions prior to 80.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP2-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-BCL tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP3-LTSS tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server 12-SP4 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 12-SP5 tomcat versions prior to 9.0.35-3.39.1. SUSE Linux Enterprise Server 15-LTSS tomcat versions prior to 9.0.35-3.57.3. SUSE Linux Enterprise Server for SAP 12-SP2 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 12-SP3 tomcat versions prior to 8.0.53-29.32.1. SUSE Linux Enterprise Server for SAP 15 tomcat versions prior to 9.0.35-3.57.3. SUSE OpenStack Cloud 7 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud 8 tomcat versions prior to 8.0.53-29.32.1. SUSE OpenStack Cloud Crowbar 8 tomcat versions prior to 8.0.53-29.32.1. |
Affected by 2 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-s2yw-ayf9-gfgp
Aliases: CVE-2017-5648 GHSA-3vx3-xf6q-r5xp |
Affected by 10 other vulnerabilities. Affected by 34 other vulnerabilities. Affected by 30 other vulnerabilities. Affected by 11 other vulnerabilities. |
|
|
VCID-snze-gjzq-dudy
Aliases: CVE-2017-7674 GHSA-73rx-3f9r-x949 |
Affected by 8 other vulnerabilities. Affected by 28 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 29 other vulnerabilities. |
|
|
VCID-t538-646q-pqf4
Aliases: CVE-2018-1336 GHSA-m59c-jpc8-m2x4 |
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. |
Affected by 5 other vulnerabilities. Affected by 25 other vulnerabilities. Affected by 25 other vulnerabilities. |
|
VCID-uy2u-497k-y7fh
Aliases: CVE-2017-5664 GHSA-jmvv-524f-hj5j |
Affected by 8 other vulnerabilities. Affected by 29 other vulnerabilities. Affected by 8 other vulnerabilities. |
|
|
VCID-xu7t-p6w1-4ycd
Aliases: CVE-2018-1304 GHSA-6rxj-58jh-436r |
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. |
Affected by 6 other vulnerabilities. Affected by 26 other vulnerabilities. Affected by 26 other vulnerabilities. |